Update win_susp_sam_dump.yml

2020-10-15 15:53:26 -03:00
parent 754e67c0d9
commit 600c7057b1
1 changed files with 2 additions and 2 deletions
@@ -15,8 +15,8 @@ logsource:
 detection:
    selection:
        EventID: 16
-        Message:
-            - '*\AppData\Local\Temp\SAM-*.dmp *'
+        Message|contains:
+            - '\AppData\Local\Temp\SAM-*.dmp'
    condition: selection
 falsepositives:
    - Penetration testing