From d3d018e60052eb7539bca9c2da63a493e3e68c63 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Fri, 2 Jul 2021 22:02:46 +0200
Subject: [PATCH] fix: escape character that would be interpreted as wildcard

---
 rules/windows/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml b/rules/windows/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml
index 040b921f8..bfdf33367 100644
--- a/rules/windows/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml
+++ b/rules/windows/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml
@@ -17,7 +17,7 @@ logsource:
 detection:
     selection:
         EventID: 5145
-        ShareName: \\*\IPC$
+        ShareName: \\\*\IPC$
         RelativeTargetName: spoolss
     condition: selection
 falsepositives: