Merge pull request #3147 from frack113/fix_issue_3067

Fix ServiceName

rules/windows/builtin/security/win_susp_rc4_kerberos.yml

@@ -10,7 +10,7 @@ tags:
 description: Detects service ticket requests using RC4 encryption type
 author: Florian Roth
 date: 2017/02/06
-modified: 2021/08/14
+modified: 2022/06/19
 logsource:
     product: windows
     service: security
@@ -20,7 +20,7 @@ detection:
         TicketOptions: '0x40810000'
         TicketEncryptionType: '0x17'
     reduction:
-        ServiceName|startswith: '$'
+        ServiceName|endswith: '$'
     condition: selection and not reduction
 falsepositives:
     - Service accounts used on legacy systems (e.g. NetApp)