From 4b3163335547aa67a1e5869723696ab1c5a99b32 Mon Sep 17 00:00:00 2001
From: Brad Kish <brad.kish@arcticwolf.com>
Date: Fri, 3 Jul 2020 16:20:37 -0400
Subject: [PATCH] Fixes for rules in new sysmon registry_event category

To be consistent with the behaviour of the other rules, the eventID should not
be specified as part of the rule. The category defines the eventID.
---
 ...sable_security_events_logging_adding_reg_key_minint.yml | 3 +--
 .../sysmon_new_dll_added_to_appcertdlls_registry_key.yml   | 7 ++-----
 2 files changed, 3 insertions(+), 7 deletions(-)

diff --git a/rules/windows/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml b/rules/windows/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml
index 4c260e288..83c015d26 100755
--- a/rules/windows/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml
+++ b/rules/windows/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml
@@ -15,8 +15,7 @@ logsource:
     product: windows
 detection:
     selection:
-      - EventID: 12 # key create
-        # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one
+      - # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one
         TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt'
         EventType: 'CreateKey'  # we don't want deletekey
       -   # key rename
diff --git a/rules/windows/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml b/rules/windows/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml
index 8d795a34e..00ff3e060 100755
--- a/rules/windows/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml
+++ b/rules/windows/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml
@@ -17,12 +17,9 @@ logsource:
     product: windows
 detection:
     selection:
-      - EventID: 
-            - 12  # key create
-            - 13  # value set
-        # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one
+      - # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one
         TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls'
-      -   # key rename
+      - # key rename
         NewName: 'HKLM\SYSTEM\CurentControlSet\Control\Session Manager\AppCertDlls'
     condition: selection
 fields: