Update sysmon_suspicious_outbound_kerberos_connection.yml

rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml

@@ -5,6 +5,7 @@ references:
     - https://github.com/GhostPack/Rubeus8
 author: Ilyas Ochkov, oscd.community
 date: 2019/10/24
+modified: 2019/11/13
 tags:
     - attack.lateral_movement
     - attack.t1208
@@ -17,11 +18,11 @@ detection:
         DestinationPort: 88
         Initiated: 'true'
     filter:
-        Image:
-            - '*\lsass.exe'
-            - '*\opera.exe'
-            - '*\chrome.exe'
-            - '*\firefox.exe'
+        Image|endswith:
+            - '\lsass.exe'
+            - '\opera.exe'
+            - '\chrome.exe'
+            - '\firefox.exe'
     condition: selection and not filter 
 falsepositives:
     - Other browsers