Update defense_evasion_microsoft_defender_tampering.toml

Samirbous · web-flow · commit 5938780099ff · 2025-03-27T11:19:48.000Z
diff --git a/rules/windows/defense_evasion_microsoft_defender_tampering.toml b/rules/windows/defense_evasion_microsoft_defender_tampering.toml
@@ -2,7 +2,7 @@
 creation_date = "2021/10/18"
 integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/03/27"
 
 [rule]
 author = ["Austin Songer"]
@@ -99,7 +99,7 @@ registry where host.os.type == "windows" and event.type == "change" and process.
       ) and registry.data.strings : ("0", "0x00000000")
     ) or
     (
-      registry.path : (
+      registry.value : (
         "DisableAntiSpyware", "DisableRealtimeMonitoring", "DisableIntrusionPreventionSystem", "DisableScriptScanning",
         "DisableIOAVProtection", "DisableEnhancedNotifications", "DisableBlockAtFirstSeen", "DisableBehaviorMonitoring"
       ) and registry.data.strings : ("1", "0x00000001")
