From 138447221f8cf3dcb1d9d761051245dec4c78f05 Mon Sep 17 00:00:00 2001 From: ALEXANDER MA COTE Date: Wed, 27 Mar 2024 06:38:57 -0400 Subject: [PATCH] fix typo in lateral_movement_remote_services.toml (#3538) --- rules/windows/lateral_movement_remote_services.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/lateral_movement_remote_services.toml b/rules/windows/lateral_movement_remote_services.toml index 4e984d38b..a9b41eae5 100644 --- a/rules/windows/lateral_movement_remote_services.toml +++ b/rules/windows/lateral_movement_remote_services.toml @@ -36,7 +36,7 @@ authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.resu author = ["Elastic"] description = """ Identifies remote execution of Windows services over remote procedure call (RPC). This could be indicative of lateral -movement, but will be noisy if commonly done by administrators." +movement, but will be noisy if commonly done by administrators. """ from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*"]