Improve detection logic

rules/windows/builtin/win_susp_net_recon_activity.yml

@@ -4,7 +4,7 @@ status: experimental
 description: Detects activity as "net user administrator /domain" and "net group domain admins /domain"
 references:
     - https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html
-author: Florian Roth (rule), Jack Croock (method)
+author: Florian Roth (rule), Jack Croock (method), Jonhnathan Ribeiro, oscd.community
 date: 2017/03/07
 modified: 2020/08/23
 tags:
@@ -22,13 +22,13 @@ detection:
     selection:
         - EventID: 4661
           ObjectType: 'SAM_USER'
-          ObjectName: 'S-1-5-21-*-500'
+          ObjectName|startswith: 'S-1-5-21-'
           AccessMask: '0x2d'
-        - EventID: 4661
-          ObjectType: 'SAM_GROUP'
-          ObjectName: 'S-1-5-21-*-512'
-          AccessMask: '0x2d'
-    condition: selection
+    selection2:
+          ObjectName|endswith: 
+            - '-500'
+            - '-512'
+    condition: selection and selection2
 falsepositives:
     - Administrator activity
     - Penetration tests