Update lnx_auditd_ld_so_preload_mod.yml

rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml

@@ -1,8 +1,12 @@
 title: Modification of ld.so.preload
 description: Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.
 status: experimental
-author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert)
+author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community
 date: 2019/10/24
+modified: 2019/11/11
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.yaml
+    - https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html
 tags:
     - attack.defense_evasion
     - attack.t1055
@@ -12,10 +16,8 @@ logsource:
 detection:
     selection:
         type: 'PATH'
-        name:
-            - '/etc/ld.so.preload'
-    condition: selection
+        name: '/etc/ld.so.preload'
     condition: selection
 falsepositives:
-    - unknown
+    - Unknown
 level: medium