From d385cbfa69b76b66cfed2ae9aeece6096da2db51 Mon Sep 17 00:00:00 2001
From: Brad Kish <brad.kish@arcticwolf.com>
Date: Mon, 22 Jun 2020 15:31:03 -0400
Subject: [PATCH] Fix quoting for AD Object WriteDAC Access

The AccessMask field needs to be quoted so that it is compared correctly.
---
 rules/windows/builtin/win_ad_object_writedac_access.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/builtin/win_ad_object_writedac_access.yml b/rules/windows/builtin/win_ad_object_writedac_access.yml
index 5f732c52f..b1e89e40c 100644
--- a/rules/windows/builtin/win_ad_object_writedac_access.yml
+++ b/rules/windows/builtin/win_ad_object_writedac_access.yml
@@ -16,7 +16,7 @@ detection:
     selection: 
         EventID: 4662
         ObjectServer: 'DS'
-        AccessMask: 0x40000
+        AccessMask: '0x40000'
         ObjectType:
             - '19195a5b-6da0-11d0-afd3-00c04fd930c9'
             - 'domainDNS'