From ebcfcfebf46e5dbbf7fe573a4a60b609b317cbc1 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Sat, 20 Nov 2021 19:14:59 +0100
Subject: [PATCH] Fix field name

---
 rules/windows/builtin/win_susp_ntlm_auth.yml                  | 3 ++-
 .../sysmon_cobaltstrike_process_injection.yml                 | 4 ++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/rules/windows/builtin/win_susp_ntlm_auth.yml b/rules/windows/builtin/win_susp_ntlm_auth.yml
index f9e9df5a2..256ba6ea8 100644
--- a/rules/windows/builtin/win_susp_ntlm_auth.yml
+++ b/rules/windows/builtin/win_susp_ntlm_auth.yml
@@ -7,6 +7,7 @@ references:
     - https://goo.gl/PsqrhT
 author: Florian Roth
 date: 2018/06/08
+modified: 2021/11/20
 tags:
     - attack.lateral_movement
     - attack.t1075          # an old one
@@ -18,7 +19,7 @@ logsource:
 detection:
     selection:
         EventID: 8002
-        CallingProcessName: '*'  # We use this to avoid false positives with ID 8002 on other log sources if the logsource isn't set correctly
+        ProcessName: '*'  # We use this to avoid false positives with ID 8002 on other log sources if the logsource isn't set correctly
     condition: selection
 falsepositives:
     - Legacy hosts
diff --git a/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml b/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml
index fb0e4c916..94a3f1c7e 100644
--- a/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml
+++ b/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml
@@ -11,13 +11,13 @@ tags:
 status: experimental
 author: Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community
 date: 2018/11/30
-modified: 2020/08/28
+modified: 2021/11/20
 logsource:
     product: windows
     category: create_remote_thread
 detection:
     selection:
-        TargetProcessAddress|endswith: 
+        StartAddress|endswith: 
             - '0B80'
             - '0C7C'
             - '0C88'