From 817400d0c7e58434920bc2e8816ea9d26ce2fef3 Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Fri, 11 Feb 2022 17:49:38 -0300
Subject: [PATCH] Modification of AmsiEnable Registry Key - Sysmon support
 (#1760)

(cherry picked from commit 9c56b004290862b3d900f8aa247d5e599b0d2776)
---
 rules/windows/defense_evasion_amsienable_key_mod.toml | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/rules/windows/defense_evasion_amsienable_key_mod.toml b/rules/windows/defense_evasion_amsienable_key_mod.toml
index f5ba840ac..faf9fb880 100644
--- a/rules/windows/defense_evasion_amsienable_key_mod.toml
+++ b/rules/windows/defense_evasion_amsienable_key_mod.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/06/01"
 maturity = "production"
-updated_date = "2021/06/01"
+updated_date = "2022/02/07"
 
 [rule]
 author = ["Elastic"]
@@ -28,8 +28,11 @@ type = "eql"
 
 query = '''
 registry where event.type in ("creation", "change") and
-  registry.path: "HKEY_USERS\\*\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable" and
-  registry.data.strings: "0"
+  registry.path : (
+    "HKEY_USERS\\*\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable",
+    "HKU\\*\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable"
+  ) and
+  registry.data.strings: ("0", "0x00000000")
 '''