Merge pull request SigmaHQ#725 from WilliamBruneau/fix_null_list

Move null values out from list in rules
rkondracki · Jun 3, 2020 · d97d2ce · d97d2ce
2 parents 022d73f + 84dd8c3
commit d97d2ce
Showing 1 changed file with 5 additions and 5 deletions.
diff --git a/rules/windows/sysmon/sysmon_ads_executable.yml b/rules/windows/sysmon/sysmon_ads_executable.yml
@@ -17,11 +17,11 @@ logsource:
 detection:
     selection:
         EventID: 15
-    filter:
-        Imphash: 
-            - '00000000000000000000000000000000'
-            - null
-    condition: selection and not filter
+    filter1:
+        Imphash: '00000000000000000000000000000000'
+    filter2:
+        Imphash: null
+    condition: selection and not 1 of filter*
 fields:
     - TargetFilename
     - Image