From 5d177709492132dabdb82ece608db0ab1482f287 Mon Sep 17 00:00:00 2001
From: "Mohamed Ashraf (X__Junior)" <malxjunior@gmail.com>
Date: Wed, 6 Aug 2025 10:48:53 +0300
Subject: [PATCH 1/2] Update registry_set_disable_windows_event_log_access.yml

---
 ...egistry_set_disable_windows_event_log_access.yml | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/rules/windows/registry/registry_set/registry_set_disable_windows_event_log_access.yml b/rules/windows/registry/registry_set/registry_set_disable_windows_event_log_access.yml
index a5ccc8231..dfda3ed86 100644
--- a/rules/windows/registry/registry_set/registry_set_disable_windows_event_log_access.yml
+++ b/rules/windows/registry/registry_set/registry_set_disable_windows_event_log_access.yml
@@ -9,7 +9,7 @@ references:
     - https://learn.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-definition-language
 author: X__Junior
 date: 2025-01-16
-modified: 2025-02-05
+modified: 2025-08-16
 tags:
     - attack.defense-evasion
     - attack.t1547.001
@@ -33,7 +33,16 @@ detection:
         - Details|contains|all:
               - 'D:('
               - ')(D;'
-    condition: 1 of selection_key_* and selection_details
+    filter_main_trustedinstaller:
+        Image: 'C:\Windows\servicing\TrustedInstaller.exe'
+    filter_main_tiworker:
+        Image|startswith: 'C:\Windows\WinSxS\'
+        Image|endswith: '\TiWorker.exe'
+    filter_optional_empty: # This filter is related to aurora. Should be removed when fix is deployed. # TODO: Remove later
+        Image: ''
+    filter_optional_null: # This filter is related to aurora. Should be removed when fix is deployed. # TODO: Remove later
+        Image: null
+    condition: 1 of selection_key_* and selection_details and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
     - Administrative activity, still unlikely
 level: high

From c48c992f702c21ee783e401c8ed40259f7393c1a Mon Sep 17 00:00:00 2001
From: Mohamed Ashraf <47338567+X-Junior@users.noreply.github.com>
Date: Wed, 6 Aug 2025 11:20:57 +0300
Subject: [PATCH 2/2] Update registry_set_disable_windows_event_log_access.yml

---
 .../registry_set_disable_windows_event_log_access.yml         | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/registry/registry_set/registry_set_disable_windows_event_log_access.yml b/rules/windows/registry/registry_set/registry_set_disable_windows_event_log_access.yml
index dfda3ed86..8377f4a5d 100644
--- a/rules/windows/registry/registry_set/registry_set_disable_windows_event_log_access.yml
+++ b/rules/windows/registry/registry_set/registry_set_disable_windows_event_log_access.yml
@@ -38,9 +38,9 @@ detection:
     filter_main_tiworker:
         Image|startswith: 'C:\Windows\WinSxS\'
         Image|endswith: '\TiWorker.exe'
-    filter_optional_empty: # This filter is related to aurora. Should be removed when fix is deployed. # TODO: Remove later
+    filter_optional_empty:
         Image: ''
-    filter_optional_null: # This filter is related to aurora. Should be removed when fix is deployed. # TODO: Remove later
+    filter_optional_null:
         Image: null
     condition: 1 of selection_key_* and selection_details and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives: