security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge PR #5631 from @ david-syk - remove trailing slash

Browse Source 
update: RestrictedAdminMode Registry Value Tampering - ProcCreation - remove trailing slash

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
This commit is contained in:
david-syk
2025-09-22 12:15:35 +02:00
committed by GitHub
parent fe015f3c24
commit d2dcc579e8
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml
+2 -2
View File
@@ -14,7 +14,7 @@ references:
- https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
author: frack113
date: 2023-01-13
modified: 2023-12-15
modified: 2025-08-28
tags:
- attack.defense-evasion
- attack.t1112
@@ -24,7 +24,7 @@ logsource:
detection:
selection:
CommandLine|contains|all:
- '\System\CurrentControlSet\Control\Lsa\'
- '\System\CurrentControlSet\Control\Lsa'
- 'DisableRestrictedAdmin'
condition: selection
falsepositives: