fix: bugfix in BEAR activity rule

2024-11-06 17:35:19 +00:00 · 2019-02-24 14:04:24 +01:00 · 2019-02-24 14:04:24 +01:00 · a60b53a7df
commit a60b53a7df
parent 8b7f0508a7
1 changed files with 2 additions and 2 deletions
--- a/rules/apt/apt_bear_activity_gtr19.yml
+++ b/rules/apt/apt_bear_activity_gtr19.yml
@ -28,7 +28,7 @@ detection:
    selection2:
        EventID: 1
        Image: '*\adexplorer.exe'
-        CommandLine: '* -snapshot "" c:\users\*'
+        CommandLine: '* -snapshot "" c:\users\\*'
 ---
 logsource:
    product: windows
@ -41,4 +41,4 @@ detection:
    selection2:
        EventID: 4688
        NewProcessName: '*\adexplorer.exe'
-        ProcessCommandLine: '* -snapshot "" c:\users\*'
+        ProcessCommandLine: '* -snapshot "" c:\users\\*'