chore(rules): Replace deprecated filter field

Leftovers from previous migration of the deprecated pe.ps.child.file.name filter field.
rabbitstack · Oct 11, 2024 · e05823d · e05823d
1 parent 06c0f66
commit e05823d
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/rules/credential_access_credential_access_from_backups_via_rundll32.yml b/rules/credential_access_credential_access_from_backups_via_rundll32.yml
@@ -17,7 +17,7 @@ labels:
 condition: >
   spawn_process
     and
-  (ps.child.name ~= 'rundll32.exe' or pe.ps.child.file.name ~= 'rundll32.exe')
+  (ps.child.name ~= 'rundll32.exe' or ps.child.pe.file.name ~= 'rundll32.exe')
     and
   (ps.child.args iin ('keymgr.dll') and ps.child.args iin ('KRShowKeyMgr'))