From 6585c83077f8b9cd41a589bdc92cc6f14de58ecf Mon Sep 17 00:00:00 2001
From: Codehardt <marcel.gebhardt@bsk-consulting.de>
Date: Fri, 10 May 2019 10:13:35 +0200
Subject: [PATCH] fix: fixed reference list, otherwise it's not valid string
 list

---
 .../win_office_spawn_exe_from_users_directory.yml               | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml b/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml
index e5291bd86..cee32a74a 100644
--- a/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml
+++ b/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml
@@ -2,7 +2,7 @@ title: MS Office Product Spawning Exe in User Dir
 status: experimental
 description: Detects an executable in the users directory started from Microsoft Word, Excel, Powerpoint, Publisher or Visio
 references:
-    - sha256: 23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57c
+    - sha256=23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57c
     - https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign 
 tags:
     - attack.execution