From a884d8a237d8557121f82f89623693db7da23241 Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Fri, 4 Feb 2022 15:38:12 -0300
Subject: [PATCH] Update credential_access_mod_wdigest_security_provider.toml
 (#1751)

(cherry picked from commit 40095d95bf425dd47ad826fc979d964c34b75693)
---
 .../credential_access_mod_wdigest_security_provider.toml | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/rules/windows/credential_access_mod_wdigest_security_provider.toml b/rules/windows/credential_access_mod_wdigest_security_provider.toml
index a415fe95c..58faf8624 100644
--- a/rules/windows/credential_access_mod_wdigest_security_provider.toml
+++ b/rules/windows/credential_access_mod_wdigest_security_provider.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/19"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/02/03"
 
 [rule]
 author = ["Elastic"]
@@ -28,9 +28,10 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-registry where event.type in ("creation", "change") and
-  registry.path:"HKLM\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential" and
-  registry.data.strings:"1"
+registry where event.type : ("creation", "change") and
+    registry.path : 
+        "HKLM\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential"
+    and registry.data.strings : ("1", "0x00000001")
 '''