From a70b4e5e9d2f73cf8847f8d32f5ef7565c3db9ab Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Thu, 7 Jul 2022 17:47:43 +0200
Subject: [PATCH] fix: FPs

---
 .../registry_set/registry_set_persistence_search_order.yml    | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml b/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml
index 6189ac57e..4fd312934 100644
--- a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml
+++ b/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml
@@ -7,7 +7,7 @@ references:
     - https://attack.mitre.org/techniques/T1546/015/
 author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien
 date: 2020/04/14
-modified: 2022/04/04
+modified: 2022/07/07
 logsource:
     category: registry_set
     product: windows
@@ -67,6 +67,8 @@ detection:
         Details|startswith:
             - 'C:\Program Files\'
             - 'C:\Program Files (x86)\'
+    filter_programdata:
+        Details|startswith: 'C:\ProgramData\Microsoft\'
     filter_gameservice:
         Details|contains: 'C:\WINDOWS\system32\GamingServicesProxy.dll'
     condition: selection and not 1 of filter*