Merge pull request #1611 from SigmaHQ/rule-devel

fix: escape character that would be interpreted as wildcard
2024-11-08 10:13:57 +00:00 · 2021-07-02 23:51:49 +02:00 · 2021-07-02 23:51:49 +02:00 · 691cf066b9
commit 691cf066b9
parent dcda583810 e25a9cd3b8
1 changed files with 1 additions and 1 deletions
--- a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_Security.yml
+++ b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_Security.yml
@ -17,7 +17,7 @@ logsource:
 detection:
    selection:
        EventID: '5145'
-        ShareName: '\\*\IPC$'
+        ShareName: '\\\*\IPC$'
        RelativeTargetName: 'spoolss'
        AccessMask: '0x3'
        ObjectType: 'File'