From 493fa3d5ee4116a3c017bd08741d8318ec409fd6 Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Fri, 20 Nov 2020 02:02:26 -0300
Subject: [PATCH] Update sysmon_susp_mic_cam_access.yml

---
 .../windows/registry_event/sysmon_susp_mic_cam_access.yml  | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/rules/windows/registry_event/sysmon_susp_mic_cam_access.yml b/rules/windows/registry_event/sysmon_susp_mic_cam_access.yml
index 66d0e60a1..8d9c31d21 100644
--- a/rules/windows/registry_event/sysmon_susp_mic_cam_access.yml
+++ b/rules/windows/registry_event/sysmon_susp_mic_cam_access.yml
@@ -14,8 +14,9 @@ logsource:
     product: windows
 detection:
     selection_1:
-        TargetObject|contains:
-            - \Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\\*\NonPackaged
+        TargetObject|contains|all:
+            - '\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\'
+            - '\NonPackaged'
     selection_2:
         TargetObject|contains:
             - microphone
@@ -31,4 +32,4 @@ detection:
     condition: all of selection_*
 falsepositives:
     - Unlikely, there could be conferencing software running from a Temp folder accessing the devices
-level: high
\ No newline at end of file
+level: high