Update win_account_discovery.yml

2022-07-12 23:58:40 +04:30
parent 0850419c95
commit f9faeacb5a
1 changed files with 1 additions and 1 deletions
@@ -33,7 +33,7 @@ detection:
          - '-555'
        - ObjectName|contains: 'admin'
    filter:
-        - SubjectUserName|endswith: '$'
+        SubjectUserName|endswith: '$'
    condition: selection and selection_object and not filter
 falsepositives:
    - If source account name is not an admin then its super suspicious