From cb5a541a5ea4582b346cc7c07ece58df3d1ab45e Mon Sep 17 00:00:00 2001
From: Semanur Guneysu <guneysusemanur@gmail.com>
Date: Mon, 26 Oct 2020 14:56:25 +0300
Subject: [PATCH] Update sysmon_abusing_debug_privilege.yml

NT AUTHORITY\SYSTEM
---
 .../windows/process_creation/sysmon_abusing_debug_privilege.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml
index ec7fad0ee..6cb6b4dfd 100644
--- a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml
+++ b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml
@@ -28,7 +28,7 @@ detection:
             - '\powershell.exe'
             - '\cmd.exe'
     selection3:
-            User: 'NT AUTHORITY\\SYSTEM'
+            User: 'NT AUTHORITY\SYSTEM'
     filter:
            CommandLine|contains|all:
            - ' route ADD '