From 4c5d48942801f95b347a4060fab94ba416d66d98 Mon Sep 17 00:00:00 2001
From: Antonlovesdnb <aovrutsky@gmail.com>
Date: Tue, 25 Feb 2020 09:23:52 -0500
Subject: [PATCH] Update sysmon_susp_office_kerberos_dll_load.yml

---
 .../sysmon/sysmon_susp_office_kerberos_dll_load.yml    | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/rules/windows/sysmon/sysmon_susp_office_kerberos_dll_load.yml b/rules/windows/sysmon/sysmon_susp_office_kerberos_dll_load.yml
index e9a29a9b..1cd4628b 100644
--- a/rules/windows/sysmon/sysmon_susp_office_kerberos_dll_load.yml
+++ b/rules/windows/sysmon/sysmon_susp_office_kerberos_dll_load.yml
@@ -16,12 +16,12 @@ detection:
     selection:
         EventID: 7
         Image:
-            - '*\winword.exe'
-            - '*\powerpnt.exe'
-            - '*\excel.exe'
-            - '*\outlook.exe'
+            - '*\winword.exe*'
+            - '*\powerpnt.exe*'
+            - '*\excel.exe*'
+            - '*\outlook.exe*'
         ImageLoaded:
-            - '*kerberos.dll*'
+            - '*\kerberos.dll*'
     condition: selection
 falsepositives:
     - Alerts on legitimate macro usage as well, will need to filter as appropriate