From f92e2f2b18db977db65bf3d048e6b3876d49b894 Mon Sep 17 00:00:00 2001
From: Antonlovesdnb <aovrutsky@gmail.com>
Date: Tue, 25 Feb 2020 09:23:22 -0500
Subject: [PATCH] Update sysmon_susp_office_dotnet_assembly_dll_load.yml

---
 .../sysmon_susp_office_dotnet_assembly_dll_load.yml       | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/rules/windows/sysmon/sysmon_susp_office_dotnet_assembly_dll_load.yml b/rules/windows/sysmon/sysmon_susp_office_dotnet_assembly_dll_load.yml
index 575e76fa9..1690d51b5 100644
--- a/rules/windows/sysmon/sysmon_susp_office_dotnet_assembly_dll_load.yml
+++ b/rules/windows/sysmon/sysmon_susp_office_dotnet_assembly_dll_load.yml
@@ -16,10 +16,10 @@ detection:
     selection:
         EventID: 7
         Image:
-            - '*winword.exe*'
-            - '*powerpnt.exe*'
-            - '*excel.exe*'
-            - '*outlook.exe*'
+            - '*\winword.exe*'
+            - '*\powerpnt.exe*'
+            - '*\excel.exe*'
+            - '*\outlook.exe*'
         ImageLoaded:
             - '*C:\Windows\assembly\*'
     condition: selection