Update rules/windows/credential_access_kerberos_coerce.toml

w0rk3r · web-flow · commit 60074d3d6c58 · 2025-06-17T09:38:54.000-03:00
diff --git a/rules/windows/credential_access_kerberos_coerce.toml b/rules/windows/credential_access_kerberos_coerce.toml
@@ -92,8 +92,8 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-(event.code:4662 and winlog.event_data.AdditionalInfo : *1UWhR*BAAAA,*MicrosoftDNS*) or 
-(event.code:5137 and winlog.event_data.ObjectDN:*1UWhR*BAAAA,*MicrosoftDNS*)
+(event.code:4662 and winlog.event_data.AdditionalInfo: *UWhRC*BAAAA*MicrosoftDNS*) or 
+(event.code:5137 and winlog.event_data.ObjectDN: *UWhRC*BAAAA*MicrosoftDNS*)
 '''
 
 
