From de15afbbf7bfbe43e9642d5d36b3fb2ddf17145d Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Mon, 4 Jul 2022 13:20:40 +0200
Subject: [PATCH] refactor: improved old rule

---
 ...stry_set_disabled_pua_protection_on_microsoft_defender.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml b/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml
index f002205d6..2124509d3 100644
--- a/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml
+++ b/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml
@@ -3,7 +3,7 @@ id: 8ffc5407-52e3-478f-9596-0a7371eafe13
 description: Detects disabling Windows Defender PUA protection
 status: experimental
 date: 2021/08/04
-modified: 2022/03/26
+modified: 2022/07/04
 author: Austin Songer @austinsonger
 references:
     - https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html
@@ -13,7 +13,7 @@ logsource:
 detection:
     selection:
         EventType: SetValue
-        TargetObject|contains: 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\PUAProtection'
+        TargetObject|contains: '\Policies\Microsoft\Windows Defender\PUAProtection'
         Details: 'DWORD (0x00000000)'
     condition: selection
 falsepositives: