Update lateral_movement_credential_access_kerberos_correlation.toml

Samirbous · web-flow · commit 592b0949807d · 2025-11-26T17:54:52.000Z
diff --git a/rules/windows/lateral_movement_credential_access_kerberos_correlation.toml b/rules/windows/lateral_movement_credential_access_kerberos_correlation.toml
@@ -88,7 +88,7 @@ sequence by source.port, source.ip with maxspan=3s
   not process.executable : 
               ("?:\\Windows\\system32\\lsass.exe", 
                "\\device\\harddiskvolume*\\windows\\system32\\lsass.exe") and
-  not (process.executable : ("C:\Windows\System32\svchost.exe", 
+  not (process.executable : ("C:\\Windows\\System32\\svchost.exe", 
                              "C:\\Program Files\\VMware\\VMware View\\Server\\bin\\ws_TomcatService.exe", 
                              "F:\\IGEL\\RemoteManager\\*\\bin\\tomcat10.exe") and user.id in ("S-1-5-20", "S-1-5-18")) and   
   source.ip != "127.0.0.1" and destination.ip != "::1" and destination.ip != "127.0.0.1"]
