From c3f41918dba6af024e8ea4ea4a16b20ecc55196d Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Fri, 21 Oct 2022 07:00:25 +0200
Subject: [PATCH] Update
 registry_set_asep_reg_keys_modification_currentversion.yml

---
 ...asep_reg_keys_modification_currentversion.yml | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml
index ee95d1a44..62bd3eaac 100644
--- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml
+++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml
@@ -5,14 +5,17 @@ related:
       type: derived
 status: experimental
 description: Detects modification of autostart extensibility point (ASEP) in registry.
-author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
     - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
     - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
     - https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/
+author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
 date: 2019/10/25
 modified: 2022/10/20
+tags:
+    - attack.persistence
+    - attack.t1547.001
 logsource:
     category: registry_set
     product: windows
@@ -137,15 +140,12 @@ detection:
         TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Run\Everything'
         Details|endswith: '\Everything\Everything.exe" -startup' # We remove the starting part as it could be installed in different locations
     condition: all of current_version_* and not 1 of filter_*
+falsepositives:
+    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
+    - Legitimate administrator sets up autorun keys for legitimate reason
+level: medium
 fields:
     - SecurityID
     - ObjectName
     - OldValueType
     - NewValueType
-falsepositives:
-    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
-    - Legitimate administrator sets up autorun keys for legitimate reason
-level: medium
-tags:
-    - attack.persistence
-    - attack.t1547.001