From e05823d6523f45d5909675f9156ed68bc3f0f182 Mon Sep 17 00:00:00 2001 From: rabbitstack Date: Sun, 6 Oct 2024 13:32:42 +0200 Subject: [PATCH] chore(rules): Replace deprecated filter field Leftovers from previous migration of the deprecated pe.ps.child.file.name filter field. --- ...ntial_access_credential_access_from_backups_via_rundll32.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/credential_access_credential_access_from_backups_via_rundll32.yml b/rules/credential_access_credential_access_from_backups_via_rundll32.yml index d35e98b59..d8a9301aa 100644 --- a/rules/credential_access_credential_access_from_backups_via_rundll32.yml +++ b/rules/credential_access_credential_access_from_backups_via_rundll32.yml @@ -17,7 +17,7 @@ labels: condition: > spawn_process and - (ps.child.name ~= 'rundll32.exe' or pe.ps.child.file.name ~= 'rundll32.exe') + (ps.child.name ~= 'rundll32.exe' or ps.child.pe.file.name ~= 'rundll32.exe') and (ps.child.args iin ('keymgr.dll') and ps.child.args iin ('KRShowKeyMgr'))