From 0b2f00db7c1a09648fce5a7cf6618b088369a2db Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Fri, 22 Dec 2023 20:07:38 +0000
Subject: [PATCH] Sigma Rule Update (2023-12-22  20:07:32) (#559)

Co-authored-by: hach1yon <hach1yon@users.noreply.github.com>
---
 .../process_creation/proc_creation_win_reg_nolmhash.yml        | 3 ++-
 .../sysmon/process_creation/proc_creation_win_reg_nolmhash.yml | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/sigma/builtin/process_creation/proc_creation_win_reg_nolmhash.yml b/sigma/builtin/process_creation/proc_creation_win_reg_nolmhash.yml
index c90e16a9e..9592a1e3f 100644
--- a/sigma/builtin/process_creation/proc_creation_win_reg_nolmhash.yml
+++ b/sigma/builtin/process_creation/proc_creation_win_reg_nolmhash.yml
@@ -17,6 +17,7 @@ references:
     - https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/12/15
+modified: 2023/12/22
 tags:
     - attack.defense_evasion
     - attack.t1112
@@ -29,7 +30,7 @@ detection:
         Channel: Security
     selection:
         CommandLine|contains|all:
-            - \System\CurrentControlSet\Control\Lsa\
+            - \System\CurrentControlSet\Control\Lsa
             - NoLMHash
             - ' 0'
     condition: process_creation and selection
diff --git a/sigma/sysmon/process_creation/proc_creation_win_reg_nolmhash.yml b/sigma/sysmon/process_creation/proc_creation_win_reg_nolmhash.yml
index 1f0fb72f1..199d420dd 100644
--- a/sigma/sysmon/process_creation/proc_creation_win_reg_nolmhash.yml
+++ b/sigma/sysmon/process_creation/proc_creation_win_reg_nolmhash.yml
@@ -17,6 +17,7 @@ references:
     - https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/12/15
+modified: 2023/12/22
 tags:
     - attack.defense_evasion
     - attack.t1112
@@ -30,7 +31,7 @@ detection:
         Channel: Microsoft-Windows-Sysmon/Operational
     selection:
         CommandLine|contains|all:
-            - \System\CurrentControlSet\Control\Lsa\
+            - \System\CurrentControlSet\Control\Lsa
             - NoLMHash
             - ' 0'
     condition: process_creation and selection