Merge pull request SigmaHQ#1638 from frack113/fix_win_external_device…

….yml win_external_device.yml fix invalid field name
Mladia · Jul 7, 2021 · 6e00745 · 6e00745
2 parents bd06282 + b0c9bc1
commit 6e00745
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/rules/windows/builtin/win_external_device.yml b/rules/windows/builtin/win_external_device.yml
@@ -1,9 +1,10 @@
-title: External Disk Drive or USB Storage Device
+title: External Disk Drive Or USB Storage Device
 id: f69a87ea-955e-4fb4-adb2-bb9fd6685632
-description: Detects external diskdrives or plugged in USB devices
+description: Detects external diskdrives or plugged in USB devices , EventID 6416 on windows 10 or later
 status: experimental
 author: Keith Wright
 date: 2019/11/20
+modified: 2021/07/06
 tags:
     - attack.t1091
     - attack.t1200
@@ -16,7 +17,7 @@ detection:
     selection:
         EventID: 
             - 6416
-        DeviceClassName: 'DiskDrive'  
+        ClassName: 'DiskDrive'  
     selection2:
         DeviceDescription: 'USB Mass Storage Device'
     condition: selection or selection2