diff --git a/rules/credential_access_potential_ntlm_hash_leak_via_shortcut_file.yml b/rules/credential_access_potential_ntlm_hash_leak_via_shortcut_file.yml index 5591fb18a..82f5d5f1b 100644 --- a/rules/credential_access_potential_ntlm_hash_leak_via_shortcut_file.yml +++ b/rules/credential_access_potential_ntlm_hash_leak_via_shortcut_file.yml @@ -1,6 +1,6 @@ name: Potential NTLM hash leak via shortcut file id: 2217339b-19d0-45ac-9ec5-26b0a968bdf1 -version: 1.0.0 +version: 1.0.1 description: | Identifies potential NTLM hash leakage via malicious shortcut (.lnk) file processing. By crafting a .lnk file with a default icon from shell32.dll and the target path pointing @@ -25,17 +25,7 @@ condition: > thread.callstack.summary imatches 'ntdll.dll|KernelBase.dll|SHCore.dll|windows.storage.dll|shell32.dll|SHCore.dll|*' and thread.callstack.symbols iin ('shell32.dll!SHELL32_CNetFolderUI_CreateInstance') | - |open_file and - file.path istartswith '\\Device\\Mup\\' and - file.extension iin - ( - '.exe', - '.dll', - '.ocx', - '.cpl', - '.sys' - ) - | + |open_file and file.path imatches ('\\Device\\Mup\\*.exe', '\\Device\\Mup\\*.dll', '\\Device\\Mup\\*.ocx', '\\Device\\Mup\\*.cpl', '\\Device\\Mup\\*.sys')| severity: high