From f5cb339ef8f2632c2a186605e1ce52b65213f363 Mon Sep 17 00:00:00 2001
From: GtUGtHGtNDtEUaE <110989433+GtUGtHGtNDtEUaE@users.noreply.github.com>
Date: Thu, 1 Aug 2024 14:26:25 +0200
Subject: [PATCH] Update win_security_svcctl_remote_service.yml

---
 .../builtin/security/win_security_svcctl_remote_service.yml   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/builtin/security/win_security_svcctl_remote_service.yml b/rules/windows/builtin/security/win_security_svcctl_remote_service.yml
index 2b175525098..7b980ffe534 100644
--- a/rules/windows/builtin/security/win_security_svcctl_remote_service.yml
+++ b/rules/windows/builtin/security/win_security_svcctl_remote_service.yml
@@ -6,7 +6,7 @@ references:
     - https://web.archive.org/web/20230329155141/https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html
 author: Samir Bousseaden
 date: 2019/04/03
-modified: 2022/08/11
+modified: 2024/08/01
 tags:
     - attack.lateral_movement
     - attack.persistence
@@ -20,7 +20,7 @@ detection:
         EventID: 5145
         ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
         RelativeTargetName: svcctl
-        Accesses|contains: 'WriteData'
+        AccessList|contains: 'WriteData'
     condition: selection
 falsepositives:
     - Unknown