From ef34c94e6a3b6ec0505e57f388bcdac9dc2003ee Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Sat, 28 Nov 2020 13:49:18 -0300
Subject: [PATCH] Update sysmon_registry_persistence_search_order.yml

---
 .../sysmon_registry_persistence_search_order.yml   | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml
index ae431d0e2..cfdc15df8 100755
--- a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml
+++ b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml
@@ -18,12 +18,18 @@ detection:
     selection: # Detect new COM servers in the user hive
         TargetObject: 'HKU\\*_Classes\CLSID\\*\InProcServer32\(Default)'
     filter:
-        Details|contains: # Exclude privileged directories and observed FPs
+        - Details|contains: # Exclude privileged directories and observed FPs
             - '%%systemroot%%\system32\'
             - '%%systemroot%%\SysWow64\'
-            - '\AppData\Local\Microsoft\OneDrive\\*\FileCoAuthLib64.dll'
-            - '\AppData\Local\Microsoft\OneDrive\\*\FileSyncShell64.dll'
-            - '\AppData\Local\Microsoft\TeamsMeetingAddin\\*\Microsoft.Teams.AddinLoader.dll'
+        - Details|contains|all:
+            - '\AppData\Local\Microsoft\OneDrive\'
+            - '\FileCoAuthLib64.dll'
+        - Details|contains|all:
+            - '\AppData\Local\Microsoft\OneDrive\'
+            - '\FileSyncShell64.dll'
+        - Details|contains|all:
+            - '\AppData\Local\Microsoft\TeamsMeetingAddin\'
+            - '\Microsoft.Teams.AddinLoader.dll'
     condition: selection and not filter
 falsepositives:
     - Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level