From 39c2258848b3d05f324f05056b57209b18a517fd Mon Sep 17 00:00:00 2001
From: yugoslavskiy <daniil@yugoslavskiy.com>
Date: Sat, 28 Nov 2020 18:30:41 +0100
Subject: [PATCH] Update sysmon_registry_persistence_search_order.yml

---
 .../sysmon_registry_persistence_search_order.yml         | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml
index cfdc15df..8e31caf6 100755
--- a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml
+++ b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml
@@ -4,9 +4,9 @@ status: experimental
 description: Detects potential COM object hijacking leveraging the COM Search Order
 references:
     - https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/
-author: Maxime Thiebaut (@0xThiebaut)
+author: Maxime Thiebaut (@0xThiebaut), oscd.community
 date: 2020/04/14
-modified: 2020/09/06
+modified: 2020/11/28
 tags:
     - attack.persistence
     - attack.t1038 # an old one
@@ -16,7 +16,10 @@ logsource:
     product: windows
 detection:
     selection: # Detect new COM servers in the user hive
-        TargetObject: 'HKU\\*_Classes\CLSID\\*\InProcServer32\(Default)'
+        TargetObject|contains|all: 
+            - 'HKU\'
+            - '_Classes\CLSID\'
+            - '\InProcServer32\(Default)'
     filter:
         - Details|contains: # Exclude privileged directories and observed FPs
             - '%%systemroot%%\system32\'