Update sysmon_susp_office_dotnet_assembly_dll_load.yml

2020-02-25 09:23:22 -05:00
parent 8141b1ae90
commit f92e2f2b18
1 changed files with 4 additions and 4 deletions
@@ -16,10 +16,10 @@ detection:
    selection:
        EventID: 7
        Image:
-            - '*winword.exe*'
-            - '*powerpnt.exe*'
-            - '*excel.exe*'
-            - '*outlook.exe*'
+            - '*\winword.exe*'
+            - '*\powerpnt.exe*'
+            - '*\excel.exe*'
+            - '*\outlook.exe*'
        ImageLoaded:
            - '*C:\Windows\assembly\*'
    condition: selection