From 710f4bda10ed3ae7a137d328d41b595fb5c3c245 Mon Sep 17 00:00:00 2001
From: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Date: Mon, 30 Nov 2020 15:26:28 -0700
Subject: [PATCH] Add file.extension to SxS .local rule

---
 rules/windows/execution_shared_modules_local_sxs_dll.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/execution_shared_modules_local_sxs_dll.toml b/rules/windows/execution_shared_modules_local_sxs_dll.toml
index 08daee8a1..4a0f4603b 100644
--- a/rules/windows/execution_shared_modules_local_sxs_dll.toml
+++ b/rules/windows/execution_shared_modules_local_sxs_dll.toml
@@ -24,7 +24,7 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
 type = "eql"
 
 query = '''
-file where file.path : "C:\\*\\*.exe.local\\*.dll"
+file where file.extension : "dll" and file.path : "C:\\*\\*.exe.local\\*.dll"
 '''