From 4b64fc17047883e8a3e2193ab0e893f78f716769 Mon Sep 17 00:00:00 2001
From: juju4 <juju4@users.noreply.github.com>
Date: Sun, 29 Oct 2017 14:42:40 -0400
Subject: [PATCH] double quotes = escape

---
 rules/windows/builtin/win_susp_run_locations.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/builtin/win_susp_run_locations.yml b/rules/windows/builtin/win_susp_run_locations.yml
index 3c702a7b1..9705c80ab 100644
--- a/rules/windows/builtin/win_susp_run_locations.yml
+++ b/rules/windows/builtin/win_susp_run_locations.yml
@@ -15,7 +15,7 @@ detection:
             - "*:\\RECYCLER\\*"
             - "*:\\SystemVolumeInformation\\*"
             - "%windir%\\Tasks\\*"
-            - "%systemroot%\debug\\*"
+            - "%systemroot%\\debug\\*"
     condition: selection
 falsepositives: 
     - False positives depend on scripts and administrative tools used in the monitored environment