From 3bfa9ed121aa367e0d4cb2e17e6c5d208b3e591b Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Tue, 21 Mar 2017 10:44:53 +0100
Subject: [PATCH] Bugfix: Minor fix cause Sysmon uses SID as Software key

---
 rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml b/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml
index c864f4381..85d50ff89 100644
--- a/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml
+++ b/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml
@@ -9,8 +9,9 @@ logsource:
 detection:
     selection:
         EventID: 13 
-        TargetObject: 'HKEY_USERS\Software\Classes\exefile\shell\runas\command\isolatedCommand'
+        TargetObject: 'HKEY_USERS\*\Classes\exefile\shell\runas\command\isolatedCommand'
     condition: selection
 falsepositives:
     - unknown
 level: high
+