From 55f1f6dd1e890cf88a7d5f7d6f9543817dee8510 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Sun, 19 Jun 2022 11:59:48 +0200
Subject: [PATCH] Fix ServiceName

---
 rules/windows/builtin/security/win_susp_rc4_kerberos.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/builtin/security/win_susp_rc4_kerberos.yml b/rules/windows/builtin/security/win_susp_rc4_kerberos.yml
index 3f7576a13..76abc6f50 100644
--- a/rules/windows/builtin/security/win_susp_rc4_kerberos.yml
+++ b/rules/windows/builtin/security/win_susp_rc4_kerberos.yml
@@ -10,7 +10,7 @@ tags:
 description: Detects service ticket requests using RC4 encryption type
 author: Florian Roth
 date: 2017/02/06
-modified: 2021/08/14
+modified: 2022/06/19
 logsource:
     product: windows
     service: security
@@ -20,7 +20,7 @@ detection:
         TicketOptions: '0x40810000'
         TicketEncryptionType: '0x17'
     reduction:
-        ServiceName|startswith: '$'
+        ServiceName|endswith: '$'
     condition: selection and not reduction
 falsepositives:
     - Service accounts used on legacy systems (e.g. NetApp)