From a50b35cdfaee644f84392d44a2ce9a76432ceebd Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 5 Aug 2022 12:29:36 +0100 Subject: [PATCH] Update reg --- ...registry_set_asep_reg_keys_modification_currentversion.yml | 4 +--- .../registry_set_asep_reg_keys_modification_wow6432node.yml | 4 +--- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml index 2704d1bb6..49a451c1d 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml @@ -23,9 +23,7 @@ detection: current_version_keys: TargetObject|contains: - '\ShellServiceObjectDelayLoad' - - '\Run\' - - '\RunOnce\' - - '\RunOnceEx\' + - '\Run' # Covers the following keys: 'Run', 'RunOnce', 'RunServices', 'RunServicesOnce', 'RunOnceEx' - '\Policies\System\Shell' - '\Policies\Explorer\Run' - '\Group Policy\Scripts\Startup' diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml index 253787b2a..239b5968d 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml @@ -23,9 +23,7 @@ detection: wow_current_version_keys: TargetObject|contains: - '\ShellServiceObjectDelayLoad' - - '\Run\' - - '\RunOnce\' - - '\RunOnceEx\' + - '\Run' # Covers the following keys: 'Run', 'RunOnce', 'RunServices', 'RunServicesOnce', 'RunOnceEx' - '\Explorer\ShellServiceObjects' - '\Explorer\ShellIconOverlayIdentifiers' - '\Explorer\ShellExecuteHooks'