Update sysmon_logon_scripts_userinitmprlogonscript_reg.yml

2020-10-15 20:04:05 -03:00
parent 143e6512ad
commit 51eefbae0c
1 changed files with 2 additions and 2 deletions
@@ -17,9 +17,9 @@ logsource:
    product: windows
 detection:
    create_keywords_reg:
-        TargetObject: '*UserInitMprLogonScript*'
+        TargetObject|contains: 'UserInitMprLogonScript'
    condition: create_keywords_reg
 falsepositives:
    - exclude legitimate logon scripts
    - penetration tests, red teaming
-level: high
+level: high