From e1913adfc516802fdcbc88ba4e17e26468e7452f Mon Sep 17 00:00:00 2001
From: Qasim Qlf <qlfqasim@gmail.com>
Date: Tue, 31 Jan 2023 12:25:32 +0500
Subject: [PATCH] fix: value

---
 ...creation_win_logon_scripts_userinitmprlogonscript_proc.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml b/rules/windows/process_creation/proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml
index 9ed79a622..49ec12676 100644
--- a/rules/windows/process_creation/proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml
+++ b/rules/windows/process_creation/proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml
@@ -6,7 +6,7 @@ references:
     - https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html
 author: Tom Ueltschi (@c_APT_ure), Tim Shelton
 date: 2019/01/12
-modified: 2022/05/31
+modified: 2023/01/31
 tags:
     - attack.t1037.001
     - attack.persistence
@@ -18,7 +18,7 @@ detection:
         ParentImage|endswith: '\userinit.exe'
     exec_exclusion1:
         Image|endswith:
-            - 'explorer.exe'
+            - '\explorer.exe'
             - '\proquota.exe'
     exec_exclusion2:
         CommandLine|contains: