From 07e55593c358cb55b4ecbb065a474f56ca8a50c2 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Fri, 5 Aug 2022 00:39:32 +0100
Subject: [PATCH] Update some registry rules

---
 .../proc_creation_win_reg_defender_exclusion.yml            | 6 +++---
 .../proc_creation_win_reg_defender_tampering.yml            | 6 +++---
 .../proc_creation_win_susp_reg_bitlocker.yml                | 3 ++-
 ...proc_creation_win_write_protect_for_storage_disabled.yml | 4 ++--
 .../registry_event/registry_event_add_local_hidden_user.yml | 4 ++--
 5 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml b/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml
index 380ae661e..7885f41d7 100644
--- a/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml
+++ b/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml
@@ -7,7 +7,7 @@ references:
     - https://redcanary.com/threat-detection-report/threats/qbot/
 author: frack113
 date: 2022/02/13
-modified: 2022/07/28
+modified: 2022/08/05
 logsource:
     category: process_creation
     product: windows
@@ -15,8 +15,8 @@ detection:
     selection:
         Image|endswith: \reg.exe
         CommandLine|contains:
-            - 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths'
-            - 'HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths'
+            - 'SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths'
+            - 'SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths'
         CommandLine|contains|all:
             - 'ADD '
             - '/t '
diff --git a/rules/windows/process_creation/proc_creation_win_reg_defender_tampering.yml b/rules/windows/process_creation/proc_creation_win_reg_defender_tampering.yml
index 88b58785a..ec4972e4c 100644
--- a/rules/windows/process_creation/proc_creation_win_reg_defender_tampering.yml
+++ b/rules/windows/process_creation/proc_creation_win_reg_defender_tampering.yml
@@ -6,12 +6,12 @@ references:
     - https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/
 author: Florian Roth
 date: 2022/03/22
-modified: 2022/05/09
+modified: 2022/08/05
 logsource:
     category: process_creation
     product: windows
 detection:
-    selection:
+    selection_reg:
         Image|endswith: \reg.exe
         CommandLine|contains:
             - 'SOFTWARE\Microsoft\Windows Defender\'
@@ -23,7 +23,7 @@ detection:
         CommandLine|contains:
             - 'Real-Time Protection'
             - 'TamperProtection'
-    condition: selection and selection_target
+    condition: all of selection_*
 falsepositives:
     - Legitimate use
 level: high
diff --git a/rules/windows/process_creation/proc_creation_win_susp_reg_bitlocker.yml b/rules/windows/process_creation/proc_creation_win_susp_reg_bitlocker.yml
index 39795b0cd..791985d1a 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_reg_bitlocker.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_reg_bitlocker.yml
@@ -9,6 +9,7 @@ tags:
     - attack.t1486
 author: frack113
 date: 2021/11/15
+modified: 2022/08/05
 logsource:
     category: process_creation
     product: windows
@@ -17,7 +18,7 @@ detection:
         CommandLine|contains|all:
             - 'REG'
             - 'ADD'
-            - 'HKLM\SOFTWARE\Policies\Microsoft\FVE'
+            - '\SOFTWARE\Policies\Microsoft\FVE'
             - '/v'
             - '/f'
     key:
diff --git a/rules/windows/process_creation/proc_creation_win_write_protect_for_storage_disabled.yml b/rules/windows/process_creation/proc_creation_win_write_protect_for_storage_disabled.yml
index c9fe66af5..7db78cfde 100644
--- a/rules/windows/process_creation/proc_creation_win_write_protect_for_storage_disabled.yml
+++ b/rules/windows/process_creation/proc_creation_win_write_protect_for_storage_disabled.yml
@@ -4,7 +4,7 @@ description: Looks for changes to registry to disable any write-protect property
 status: experimental
 author: Sreeman
 date: 2021/06/11
-modified: 2022/03/07
+modified: 2022/08/05
 logsource:
     product: windows
     category: process_creation
@@ -12,7 +12,7 @@ detection:
     selection:
         CommandLine|contains|all:
             - 'reg add'
-            - 'hklm\system\currentcontrolset\control'
+            - '\system\currentcontrolset\control'
             - 'write protection'
             - '0'
         CommandLine|contains:
diff --git a/rules/windows/registry/registry_event/registry_event_add_local_hidden_user.yml b/rules/windows/registry/registry_event/registry_event_add_local_hidden_user.yml
index 617b5e934..a88ce15cf 100644
--- a/rules/windows/registry/registry_event/registry_event_add_local_hidden_user.yml
+++ b/rules/windows/registry/registry_event/registry_event_add_local_hidden_user.yml
@@ -3,7 +3,7 @@ id: 460479f3-80b7-42da-9c43-2cc1d54dbccd
 description: Sysmon registry detection of a local hidden user account.
 status: experimental
 date: 2021/05/03
-modified: 2022/06/02
+modified: 2022/08/05
 author: Christian Burkard
 tags:
     - attack.persistence
@@ -15,7 +15,7 @@ logsource:
     category: registry_event
 detection:
     selection:
-        TargetObject|startswith: 'HKLM\SAM\SAM\Domains\Account\Users\Names\'
+        TargetObject|contains: '\SAM\SAM\Domains\Account\Users\Names\'
         TargetObject|endswith: '$'
         Image|endswith: '\lsass.exe'
     condition: selection