From fa522f68c9a814ad448f70b855e193e4800f34f3 Mon Sep 17 00:00:00 2001
From: Tim Shelton <tshelton@hawkdefense.com>
Date: Fri, 12 Aug 2022 15:29:49 +0000
Subject: [PATCH] False positive fix, needs to match ALL of selectioN_delete,
 not 1 of them

---
 .../proc_creation_win_reg_delete_safeboot.yml                | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml b/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml
index b9fa47a79..9ef55c3e1 100644
--- a/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml
+++ b/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml
@@ -4,8 +4,9 @@ status: experimental
 description: Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products
 references:
     - https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html
-author: Nasreddine Bencherchali
+author: Nasreddine Bencherchali, Tim Shelton
 date: 2022/08/08
+modified: 2022/08/12
 logsource:
     category: process_creation
     product: windows
@@ -14,7 +15,7 @@ detection:
         - Image|endswith: 'reg.exe'
         - OriginalFileName: 'reg.exe'
     selection_delete:
-        CommandLine|contains:
+        CommandLine|contains|all:
             - ' delete '
             - '\SYSTEM\CurrentControlSet\Control\SafeBoot'
     condition: all of selection*