From 5790cc2ea71ff665e578fe5342ec5ecd051832a2 Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Thu, 15 Oct 2020 16:01:46 -0300
Subject: [PATCH] Update sysmon_susp_adsi_cache_usage.yml

---
 rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml b/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml
index 204bb61c0..2b8ae5871 100755
--- a/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml
+++ b/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml
@@ -18,7 +18,7 @@ logsource:
     category: file_event
 detection:
     selection_1:
-        TargetFilename: '*\Local\Microsoft\Windows\SchCache\\*.sch'
+        TargetFilename|endswith: '\Local\Microsoft\Windows\SchCache\\*.sch'
     selection_2:
         Image:
             - 'C:\windows\system32\svchost.exe'