From 4f866f8da3fdff9ff7aa50930fbc9d86591a123c Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Wed, 15 Dec 2021 10:04:37 +0100
Subject: [PATCH] fix detection

---
 .../system/win_vul_cve_2021_42278_or_cve_2021_42287.yml    | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/rules/windows/builtin/system/win_vul_cve_2021_42278_or_cve_2021_42287.yml b/rules/windows/builtin/system/win_vul_cve_2021_42278_or_cve_2021_42287.yml
index 1c27d1cd9..cef7ef843 100644
--- a/rules/windows/builtin/system/win_vul_cve_2021_42278_or_cve_2021_42287.yml
+++ b/rules/windows/builtin/system/win_vul_cve_2021_42278_or_cve_2021_42287.yml
@@ -13,16 +13,19 @@ logsource:
     product: windows
     service: system
 detection:
-    selection:
+    selection_1:
         Provider_Name: Microsoft-Windows-Kerberos-Key-Distribution-Center  # Active Directory
         EventID:
             - 35
             - 36
             - 37
             - 38
+    selection_2:
+        Provider_Name: Microsoft-Windows-Directory-Services-SAM  # Active Directory
+        EventID:
             - 16990
             - 16991
-    condition: selection
+    condition: selection_1 or selection_2
 fields:
     - samAccountName
 falsepositives: