From 39c82f3966e15d508811bc4ae637b1ff3fffc9cd Mon Sep 17 00:00:00 2001
From: rabbitstack <rabbitstack7@gmail.com>
Date: Sun, 2 Feb 2025 20:18:30 +0100
Subject: [PATCH] fix(rule): Improve `Hidden local account creation` rule

The condition is modified to consider both, RegCreateKey and RegSetValue events. The registry key path trailing backslashes are removed because in case of RegCreateKey events, the registry key is reported without ending backslashes.
---
 rules/macros/macros.yml                             | 2 +-
 rules/persistence_hidden_local_account_creation.yml | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/rules/macros/macros.yml b/rules/macros/macros.yml
index 95695f2c4..2721f13b5 100644
--- a/rules/macros/macros.yml
+++ b/rules/macros/macros.yml
@@ -50,7 +50,7 @@
   expr: kevt.name = 'RegCreateKey' and registry.status = 'Success'
 
 - macro: modify_registry
-  expr: (set_value or create_key)
+  expr: ((set_value) or (create_key))
 
 - macro: send_socket
   expr: kevt.name = 'Send'
diff --git a/rules/persistence_hidden_local_account_creation.yml b/rules/persistence_hidden_local_account_creation.yml
index 8afb80b87..67bdd53d5 100644
--- a/rules/persistence_hidden_local_account_creation.yml
+++ b/rules/persistence_hidden_local_account_creation.yml
@@ -17,10 +17,10 @@ labels:
   subtechnique.ref: https://attack.mitre.org/techniques/T1136/001/
 
 condition: >
-  set_value and registry.path imatches 
+  modify_registry and registry.path imatches 
     (
-      'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$\\',
-      'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\*$\\'
+      'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$',
+      'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\*$'
     )
 
 severity: high