From 654bd7bdbae546e5f95a6cb3d69bff8db7dfe4eb Mon Sep 17 00:00:00 2001
From: Nikita Nazarov <61659062+NikitaStormwind@users.noreply.github.com>
Date: Mon, 19 Oct 2020 11:05:45 +0300
Subject: [PATCH] Update win_software_discovery.yml

Add edits
---
 rules/windows/builtin/win_software_discovery.yml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/rules/windows/builtin/win_software_discovery.yml b/rules/windows/builtin/win_software_discovery.yml
index c6274d324..d1c815ee1 100644
--- a/rules/windows/builtin/win_software_discovery.yml
+++ b/rules/windows/builtin/win_software_discovery.yml
@@ -7,7 +7,6 @@ author: Nikita Nazarov, oscd.community
 date: 2020/10/16
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md
-    - https://attack.mitre.org/techniques/T1518/
 tags:
     - attack.discovery
     - attack.t1518
@@ -25,7 +24,7 @@ detection:
         EventID: 4104
         ScriptBlockText|contains|all:    # Example: Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize
           - 'get-itemProperty'
-          - '*\software\*'
+          - '\software\'
           - 'select-object'
           - 'format-table'
 ---
@@ -37,6 +36,6 @@ detection:
         Image|endswith: '\reg.exe'    # Example: reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion
         CommandLine|contains|all:
             - 'query'
-            - '*\software\*'
+            - '\software\'
             - '/v'
             - 'svcversion'