From 1fe7f55d4785a407ba7d2efe5e2c4fb886c2bbb5 Mon Sep 17 00:00:00 2001
From: yugoslavskiy <daniil@yugoslavskiy.com>
Date: Thu, 14 Nov 2019 00:10:05 +0300
Subject: [PATCH] Update sysmon_suspicious_outbound_kerberos_connection.yml

---
 ...sysmon_suspicious_outbound_kerberos_connection.yml | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml b/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml
index 2bc9e19f9..8daac1661 100644
--- a/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml
+++ b/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml
@@ -5,6 +5,7 @@ references:
     - https://github.com/GhostPack/Rubeus8
 author: Ilyas Ochkov, oscd.community
 date: 2019/10/24
+modified: 2019/11/13
 tags:
     - attack.lateral_movement
     - attack.t1208
@@ -17,11 +18,11 @@ detection:
         DestinationPort: 88
         Initiated: 'true'
     filter:
-        Image:
-            - '*\lsass.exe'
-            - '*\opera.exe'
-            - '*\chrome.exe'
-            - '*\firefox.exe'
+        Image|endswith:
+            - '\lsass.exe'
+            - '\opera.exe'
+            - '\chrome.exe'
+            - '\firefox.exe'
     condition: selection and not filter 
 falsepositives:
     - Other browsers