From 4487d9cc7eb7983fecc89c4f5871edaa514769a5 Mon Sep 17 00:00:00 2001
From: omkargudhate22 <36105402+omkar72@users.noreply.github.com>
Date: Fri, 2 Oct 2020 09:22:14 +0530
Subject: [PATCH] added event type & changed technique

---
 rules/windows/registry_event/sysmon_comhijack_sdclt.yml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/rules/windows/registry_event/sysmon_comhijack_sdclt.yml b/rules/windows/registry_event/sysmon_comhijack_sdclt.yml
index 317e24ad3..bf76b00d8 100644
--- a/rules/windows/registry_event/sysmon_comhijack_sdclt.yml
+++ b/rules/windows/registry_event/sysmon_comhijack_sdclt.yml
@@ -2,6 +2,8 @@ title: COM Hijack via Sdclt
 id: 07743f65-7ec9-404a-a519-913db7118a8d
 status: experimental
 description: Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
+author: Omkar Gudhate
+date: 2020/09/27
 references:
     - http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass
     - https://www.exploit-db.com/exploits/47696
@@ -9,8 +11,6 @@ tags:
     - attack.privilege_escalation
     - attack.t1546
     - attack.t1548
-author: Omkar Gudhate
-date: 2020/09/27
 logsource:
     category: registry_event
     product: windows
@@ -18,7 +18,8 @@ detection:
     selection:
         TargetObject:
             - 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
-            - 'HKCU\Software\Classes\Folder\shell\open\command'
+        EventType:
+            - SetValue
     condition: selection
 falsepositives:
     - unknown