From 97f4b8a1e944260cb1bf47729dd5bd75bb4f2423 Mon Sep 17 00:00:00 2001
From: phantinuss <79651203+phantinuss@users.noreply.github.com>
Date: Thu, 10 Feb 2022 16:16:42 +0100
Subject: [PATCH] fix: mandatory escaping of \*

---
 rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml b/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml
index 7a4e2b514..e476b03c3 100644
--- a/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml
+++ b/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml
@@ -32,8 +32,8 @@ detection:
             - 'C:\Users\\*\AppData\Local\Microsoft\OneDrive\\*\Microsoft.SharePoint.exe'
             - 'C:\Program Files (x86)\'
             - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
-            - 'C:\Users\*\AppData\Local\Microsoft\OneDrive\OneDrive.exe'
-            - 'C:\Users\*\AppData\Roaming\Spotify\Spotify.exe'
+            - 'C:\Users\\*\AppData\Local\Microsoft\OneDrive\OneDrive.exe'
+            - 'C:\Users\\*\AppData\Roaming\Spotify\Spotify.exe'
         - Image|endswith: '\opera_autoupdate.exe'      
     condition: selection and not filter
 falsepositives: