From 07dec062227ecc46e9823c2f3ca235abb5b794cc Mon Sep 17 00:00:00 2001
From: Keep Watcher <keepwatch@users.noreply.github.com>
Date: Wed, 20 Feb 2019 10:57:24 -0500
Subject: [PATCH] Fixing yara condition

---
 rules/windows/builtin/win_spn_enum.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/rules/windows/builtin/win_spn_enum.yml b/rules/windows/builtin/win_spn_enum.yml
index 295c5f67e..e6397c7ca 100644
--- a/rules/windows/builtin/win_spn_enum.yml
+++ b/rules/windows/builtin/win_spn_enum.yml
@@ -5,19 +5,19 @@ description: Detects Service Principal Name Enumeration used for Kerberoasting
 status: experimental
 references:
     - https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation
-author: Markus Neis
+author: Markus Neis, keepwatch
 date: 2018/11/14
 tags:
     - attack.credential_access
     - attack.t1208
 detection:
-    selection:
+    selection_image:
          Image: '*\setspn.exe'
-    selection1:
+    selection_desc:
         Description: '*Query or reset the computer* SPN attribute*'
     cmd:
         CommandLine: '*-q*'
-    condition: (selection or selection1) and cmd 
+    condition: selection and (selection_image or selection_desc) and cmd
 falsepositives: 
     - Administrator Activity 
 level: medium