From 45828a85fd76599be1ba9753168d4a332deca4db Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Thu, 28 Dec 2023 20:07:23 +0000
Subject: [PATCH] Sigma Rule Update (2023-12-28  20:07:16) (#560)

Co-authored-by: hach1yon <hach1yon@users.noreply.github.com>
---
 .../proc_creation_win_susp_redirect_local_admin_share.yml  | 7 ++++---
 .../proc_creation_win_susp_redirect_local_admin_share.yml  | 7 ++++---
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml b/sigma/builtin/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml
index 9cf3fccd5..12b1fa942 100644
--- a/sigma/builtin/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml
+++ b/sigma/builtin/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml
@@ -8,7 +8,7 @@ references:
     - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
 author: Florian Roth (Nextron Systems)
 date: 2022/01/16
-modified: 2022/09/09
+modified: 2023/12/28
 tags:
     - attack.exfiltration
     - attack.t1048
@@ -22,8 +22,9 @@ detection:
     selection_redirect:
         CommandLine|contains: '>'
     selection_share:
-        - \\\\127.0.0.1\\admin$\\
-        - \\\\localhost\\admin$\\
+        CommandLine|contains:
+            - \\\\127.0.0.1\\admin$\\
+            - \\\\localhost\\admin$\\
     condition: process_creation and (all of selection_*)
 falsepositives:
     - Unknown
diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml
index 6fe3a9150..98f5aabbe 100644
--- a/sigma/sysmon/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml
+++ b/sigma/sysmon/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml
@@ -8,7 +8,7 @@ references:
     - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
 author: Florian Roth (Nextron Systems)
 date: 2022/01/16
-modified: 2022/09/09
+modified: 2023/12/28
 tags:
     - attack.exfiltration
     - attack.t1048
@@ -23,8 +23,9 @@ detection:
     selection_redirect:
         CommandLine|contains: '>'
     selection_share:
-        - \\\\127.0.0.1\\admin$\\
-        - \\\\localhost\\admin$\\
+        CommandLine|contains:
+            - \\\\127.0.0.1\\admin$\\
+            - \\\\localhost\\admin$\\
     condition: process_creation and (all of selection_*)
 falsepositives:
     - Unknown