From 1775db7fe80feae8895dd01b5c93232bb12bc52d Mon Sep 17 00:00:00 2001
From: frack113 <magicfrancois@gmail.com>
Date: Thu, 21 Oct 2021 09:58:32 +0200
Subject: [PATCH] fix cast

---
 .../process_access/sysmon_in_memory_assembly_execution.yml    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml
index 02285b7d1..8455bfee9 100755
--- a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml
+++ b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml
@@ -23,8 +23,8 @@ logsource:
 detection:
     selection1:
         CallTrace|contains|all:
-              - 'C:\Windows\SYSTEM32\ntdll.dll+'
-              - '|C:\Windows\System32\KERNELBASE.dll+'
+              - 'C:\WINDOWS\SYSTEM32\ntdll.dll+'
+              - '|C:\WINDOWS\System32\KERNELBASE.dll+'
               - '|UNKNOWN('
               - ')'
     selection2: