Update initial_access_rdp_file_mail_attachment.toml

Samirbous · web-flow · commit 5fe1a40cbaf0 · 2024-11-05T17:19:52.000Z
diff --git a/rules/windows/initial_access_rdp_file_mail_attachment.toml b/rules/windows/initial_access_rdp_file_mail_attachment.toml
@@ -52,7 +52,7 @@ type = "eql"
 query = '''
 process where host.os.type == "windows" and event.type == "start" and  
  process.name : "mstsc.exe" and
- process.args : ("?:\\Users\\*\\Downloads\\*", 
+ process.args : ("?:\\Users\\*\\Downloads\\*.rdp", 
                  "?:\\Users\\*\\AppData\\Local\\Temp\\Temp?_*.rdp", 
                  "?:\\Users\\*\\AppData\\Local\\Temp\\7z*.rdp", 
                  "?:\\Users\\*\\AppData\\Local\\Temp\\Rar$*\\*.rdp", 
