From c20a6daa73f76047910d3ee36b507187acaffe13 Mon Sep 17 00:00:00 2001
From: Tim Shelton <tshelton@hawkdefense.com>
Date: Mon, 29 Nov 2021 19:59:26 +0000
Subject: [PATCH] adding wildcard to netlogon to be a bit more inclusive.

---
 .../sysmon_logon_scripts_userinitmprlogonscript_proc.yml      | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml b/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml
index 5b5e197b5..b78fef5f9 100644
--- a/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml
+++ b/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml
@@ -6,7 +6,7 @@ author: Tom Ueltschi (@c_APT_ure)
 references:
   - https://attack.mitre.org/techniques/T1037/
 date: 2019/01/12
-modified: 2021/11/27
+modified: 2021/11/29
 logsource:
   category: process_creation
   product: windows
@@ -17,7 +17,7 @@ detection:
     Image|endswith: '\explorer.exe'
   exec_exclusion2:
     CommandLine|contains:
-      - 'netlogon.bat'
+      - 'netlogon*.bat'
       - 'UsrLogon.cmd'
   create_keywords_cli:
     CommandLine|contains: 'UserInitMprLogonScript'