From 6efbdfa9e7b41844dbdad0e4413de2e9878bdfd2 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Mon, 4 Jul 2022 17:17:32 +0200
Subject: [PATCH] Channel disable during installation

---
 .../registry_set_disable_winevt_logging.yml           | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml
index f0e6405c4..6566047cf 100644
--- a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml
+++ b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml
@@ -15,10 +15,17 @@ detection:
         TargetObject|startswith: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\
         TargetObject|endswith: \Enabled 
         Details: DWORD (0x00000000)
-    condition: selection
+    filter:
+        TargetObject|contains:
+            - \WordChannel\
+            - \General Logging\
+            - \OfficeChannel\
+            - \OfficeDebugChannel\
+            - \AirSpaceChannel\
+    condition: selection and not filter
 falsepositives:
     - Unknown
-level: high
+level: medium
 tags:
   - attack.persistence
   - attack.t1547.010