Add more keys concerned with lsa ppl protection

rules/windows/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml

@@ -1,12 +1,16 @@
 title: LSA PPL Protection Disabled Via Reg.EXE
 id: 8c0eca51-0f88-4db2-9183-fdfb10c703f9
 status: test
-description: Detects the usage of the "reg.exe" utility to disable PPL protection on the LSA process
+description: |
+    Detects the usage of "reg.exe" to disable Protected Process Light (PPL) protection for LSA (Local Security Authority) process.
+    LSA Protection is a security feature in Windows that prevents unauthorized access to LSA process memory using PPL technology.
+    Attackers often try to disable this protection to enable credential dumping tools like Mimikatz to access LSASS process memory.
 references:
     - https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/
-author: Florian Roth (Nextron Systems)
+    - https://github.com/shoober420/windows11-scripts/blob/38d83331738cd713ccb42f2c4557d17a27aefd98/Windows11Tweaks.bat#L1825
+author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
 date: 2022-03-22
-modified: 2023-03-26
+modified: 2025-05-01
 tags:
     - attack.defense-evasion
     - attack.t1562.010
@@ -21,9 +25,19 @@ detection:
         CommandLine|contains: 'SYSTEM\CurrentControlSet\Control\Lsa'
         CommandLine|contains|all:
             - ' add '
-            - ' /d 0'
-            - ' /v RunAsPPL '
-    condition: all of selection_*
+            - 'd '
+            - 'v '
+            - '0'
+    selection_key:
+        CommandLine|contains:
+            - 'IsPplAutoEnabled'
+            - 'RunAsPPL'
+            - 'RunAsPPLBoot'
+    filter:
+        CommandLine|contains:
+            - "01"
+            - "02"
+    condition: all of selection_* and not filter
 falsepositives:
     - Unlikely
 level: high