From 23620bc8aafbdf95e2d2560ab77336749d683e77 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Fri, 13 Jan 2023 12:31:28 +0100
Subject: [PATCH] Update proc_creation_win_lsa_disablerestrictedadmin.yml

---
 .../proc_creation_win_lsa_disablerestrictedadmin.yml            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/proc_creation_win_lsa_disablerestrictedadmin.yml b/rules/windows/process_creation/proc_creation_win_lsa_disablerestrictedadmin.yml
index f6b2d52f8..ddbda73a2 100644
--- a/rules/windows/process_creation/proc_creation_win_lsa_disablerestrictedadmin.yml
+++ b/rules/windows/process_creation/proc_creation_win_lsa_disablerestrictedadmin.yml
@@ -24,7 +24,7 @@ detection:
         CommandLine|contains|all:
             - '\system\currentcontrolset\control\lsa'
             - 'DisableRestrictedAdmin'
-            - ' 0'
+            - ' 1'
     condition: selection
 falsepositives:
     - Unknown