From 470ca979b475a4e7f75b3c2d38a0297c24abc585 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Sun, 20 Feb 2022 11:31:08 +0100
Subject: [PATCH] Fix FP binary

---
 rules/windows/registry_event/win_re_ie_persistence.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/rules/windows/registry_event/win_re_ie_persistence.yml b/rules/windows/registry_event/win_re_ie_persistence.yml
index a0ca82133..645f47c50 100644
--- a/rules/windows/registry_event/win_re_ie_persistence.yml
+++ b/rules/windows/registry_event/win_re_ie_persistence.yml
@@ -3,7 +3,7 @@ id: d88d0ab2-e696-4d40-a2ed-9790064e66b3
 description: Use IE registry to hide a scripts
 author: frack113
 date: 2022/01/22
-modified: 2022/02/13
+modified: 2022/02/20
 status: experimental
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry
@@ -21,6 +21,8 @@ detection:
             - 'Cookie:'
             - 'Visited:'
             - '(Empty)'
+    filter_binary:
+        Details: 'Binary Data'
     condition: selection_domains and not 1 of filter_*
 falsepositives:
     - Unknown