From e675cdf9c42ca47775ce8327a4866ae80daa4435 Mon Sep 17 00:00:00 2001
From: Olaf Hartong <8149899+olafhartong@users.noreply.github.com>
Date: Wed, 22 May 2019 12:32:07 +0200
Subject: [PATCH] Rule Windows 10 scheduled task SandboxEscaper 0-day

---
 rules/windows/sysmon/sysmon_win10_sched_task_0day.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/sysmon/sysmon_win10_sched_task_0day.yml b/rules/windows/sysmon/sysmon_win10_sched_task_0day.yml
index 162963afa..64012966a 100644
--- a/rules/windows/sysmon/sysmon_win10_sched_task_0day.yml
+++ b/rules/windows/sysmon/sysmon_win10_sched_task_0day.yml
@@ -11,7 +11,7 @@ logsource:
 detection:
    selection:
        EventID: 1
-	   Image: 'schtasks.exe'
+       Image: 'schtasks.exe'
        CommandLine: '*/change*/TN*/RU*'
    filter:
    condition: selection