From e7c57671bdf129a7a680bbf458ec0f922bae25b8 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Tue, 2 Aug 2022 18:08:39 +0200
Subject: [PATCH] reworked rule

---
 ...igations_code_integrity_defender_load_unsigned_dll.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/rules/windows/builtin/security_mitigations/win_security_mitigations_code_integrity_defender_load_unsigned_dll.yml b/rules/windows/builtin/security_mitigations/win_security_mitigations_code_integrity_defender_load_unsigned_dll.yml
index 077793c86..92d882d23 100644
--- a/rules/windows/builtin/security_mitigations/win_security_mitigations_code_integrity_defender_load_unsigned_dll.yml
+++ b/rules/windows/builtin/security_mitigations/win_security_mitigations_code_integrity_defender_load_unsigned_dll.yml
@@ -15,10 +15,10 @@ logsource:
 detection:
     selection:
         EventID: 12 # MDE: ExploitGuardNonMicrosoftSignedBlocked
-        ProcessPath|endswith: 
-          - '\MpCmdRun.exe'
-          - '\NisSrv.exe'
-        Image|endswith: '.dll'
+        ProcessPath|endswith:
+            - '\MpCmdRun.exe'
+            - '\NisSrv.exe'
+        ImageName|endswith: '.dll'
     condition: selection
 falsepositives:
     - Unknown