From 44652c4ffd63a0f8ca07124cc95d9e3b23f72a3c Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Thu, 19 Nov 2020 23:08:40 -0300
Subject: [PATCH] Remove additional backslash

---
 .../image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml
index 7e70aed3b..c9d881196 100755
--- a/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml
+++ b/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml
@@ -22,7 +22,7 @@ detection:
             - '\excel.exe'
             - '\outlook.exe'
         ImageLoaded|startswith:
-            - 'C:\Windows\assembly\\'
+            - 'C:\Windows\assembly\'
     condition: selection
 falsepositives:
     - Alerts on legitimate macro usage as well, will need to filter as appropriate