Update sysmon_win_reg_persistence.yml

2024-11-07 17:58:52 +00:00 · 2020-10-15 20:11:37 -03:00 · 2020-10-15 20:11:37 -03:00 · 229e57777a
commit 229e57777a
parent 8a52610bf8
1 changed files with 4 additions and 4 deletions
--- a/rules/windows/registry_event/sysmon_win_reg_persistence.yml
+++ b/rules/windows/registry_event/sysmon_win_reg_persistence.yml
@ -11,10 +11,10 @@ logsource:
    product: windows
 detection:
    selection_reg1:
-        TargetObject:
-            - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\*\GlobalFlag'
-            - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\\*\ReportingMode'
-            - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\\*\MonitorProcess'
+        TargetObject|startswith:
+            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\*\GlobalFlag'
+            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\\*\ReportingMode'
+            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\\*\MonitorProcess'
        EventType: SetValue
    condition: selection_reg1
 tags: