fix(rules): fix rule for ldapfw name impersonation

zeronetworks · Nov 2, 2023 · 3a21753 · 3a21753
1 parent 7a71de3
commit 3a21753
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/rules/application/ldap_firewall/ldap_firewall_name_impersonation.yml b/rules/application/ldap_firewall/ldap_firewall_name_impersonation.yml
@@ -21,8 +21,8 @@ logsource:
 detection:
     selection:
         EventLog: LDAPFW
-        EventID: 259
-        DN|re: 'sAMAccountName:\w+[,][\s]'
+        EventID: 261
+        EntryList|re: 'sAMAccountName:[^,$]*([,]{1}|$)'
     condition: selection
 falsepositives:
     - Unknown