From 865d97170490951868872e41e6724715cdaa8957 Mon Sep 17 00:00:00 2001
From: Karneades <karneades@protonmail.com>
Date: Wed, 3 Apr 2019 16:16:18 +0200
Subject: [PATCH] Remove backslashes in CommandLine for sticky key rule

Example command line is exactly "cmd.exe sethc.exe 211".
=> the detection with *\cmd.exe... would not match.
---
 .../sysmon/sysmon_stickykey_like_backdoor.yml        | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/rules/windows/sysmon/sysmon_stickykey_like_backdoor.yml b/rules/windows/sysmon/sysmon_stickykey_like_backdoor.yml
index 2fa240596..0bff21843 100644
--- a/rules/windows/sysmon/sysmon_stickykey_like_backdoor.yml
+++ b/rules/windows/sysmon/sysmon_stickykey_like_backdoor.yml
@@ -39,9 +39,9 @@ detection:
         ParentImage:
             - '*\winlogon.exe'
         CommandLine:
-            - '*\cmd.exe sethc.exe *'
-            - '*\cmd.exe utilman.exe *'
-            - '*\cmd.exe osk.exe *'
-            - '*\cmd.exe Magnify.exe *'
-            - '*\cmd.exe Narrator.exe *'
-            - '*\cmd.exe DisplaySwitch.exe *'
+            - '*cmd.exe sethc.exe *'
+            - '*cmd.exe utilman.exe *'
+            - '*cmd.exe osk.exe *'
+            - '*cmd.exe Magnify.exe *'
+            - '*cmd.exe Narrator.exe *'
+            - '*cmd.exe DisplaySwitch.exe *'