From a7503f04a6aab634d2adb9f9c766791c6a8d40f6 Mon Sep 17 00:00:00 2001
From: keyboardcrunch <>
Date: Sun, 6 Dec 2020 00:58:24 -0600
Subject: [PATCH] fixed missing os

---
 queries/windows/rundll32_possible_cobalt_strike.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/queries/windows/rundll32_possible_cobalt_strike.yml b/queries/windows/rundll32_possible_cobalt_strike.yml
index 430746f..dcfbca9 100644
--- a/queries/windows/rundll32_possible_cobalt_strike.yml
+++ b/queries/windows/rundll32_possible_cobalt_strike.yml
@@ -7,7 +7,7 @@ mitre:
    tactic: Defense Evasion
    technique: T1218
    subtechnique: 011
-operating_system: 
+operating_system: windows
 query: ( SrcProcName In AnyCase  ( "rundll32.exe" ) AND SrcProcCmdLine IS EMPTY ) OR ( SrcProcName In AnyCase  ( "rundll32.exe" ) AND NetConnOutCount > "0" AND SrcProcParentName Not In  ( "splwow64.exe" ) AND SrcProcParentName Not In  ( "msiexec.exe" ) AND SrcProcCmdLine RegExp ".*((?!C:\\windows\\system32\\spool\\DRIVERS\\.*,MonitorPrintJobStatus))$/gmi" )
 false_positives:
    - Printer drivers