From ae2938b38f12346fbb5d801646e583f33bf7dac0 Mon Sep 17 00:00:00 2001
From: swachchhanda000 <swachchhandashrawan@gmail.com>
Date: Tue, 15 Apr 2025 11:21:13 +0545
Subject: [PATCH 1/2] Add Defender administrative settings related another
 registry path

---
 sysmonconfig-export-block.xml | 1 +
 sysmonconfig-export.xml       | 1 +
 2 files changed, 2 insertions(+)

diff --git a/sysmonconfig-export-block.xml b/sysmonconfig-export-block.xml
index 00cf2ae8..e5a873ff 100644
--- a/sysmonconfig-export-block.xml
+++ b/sysmonconfig-export-block.xml
@@ -791,6 +791,7 @@
 			<Image name="Suspicious,ImageBeginWithBackslash" condition="begin with">\</Image> <!--Devices and VSC shouldn't be executing changes | Credit: @SBousseaden @ionstorm @neu5ron @PerchedSystems [ https://twitter.com/SwiftOnSecurity/status/1133167323991486464 ] -->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject> <!--Microsoft:Windows:UAC: Detect malware changes to UAC prompt level-->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\</TargetObject> <!--Microsoft:Defender: Detect changes to Defender administrative settings to monitor for disablement-->
+            <TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows Defender\</TargetObject>
 			<!--Windows trust architecture monitoring | Credit: @mattifestation-->
 			<!--ADDITIONAL REFERENCE: https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf-->
 			<TargetObject condition="contains">Microsoft\Cryptography\OID\</TargetObject> <!-- Important trust registry values to monitor -->
diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 056b4171..5d76fcc6 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -834,6 +834,7 @@
 			<Image name="Suspicious,ImageBeginWithBackslash" condition="begin with">\</Image> <!--Devices and VSC shouldn't be executing changes | Credit: @SBousseaden @ionstorm @neu5ron @PerchedSystems [ https://twitter.com/SwiftOnSecurity/status/1133167323991486464 ] -->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject> <!--Microsoft:Windows:UAC: Detect malware changes to UAC prompt level-->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\</TargetObject> <!--Microsoft:Defender: Detect changes to Defender administrative settings to monitor for disablement-->
+            <TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows Defender\</TargetObject>
 			<!--Windows trust architecture monitoring | Credit: @mattifestation-->
 			<!--ADDITIONAL REFERENCE: https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf-->
 			<TargetObject condition="contains">Microsoft\Cryptography\OID\</TargetObject> <!-- Important trust registry values to monitor -->

From 8ded30c29d87e602db52c540a6dc920befdf4347 Mon Sep 17 00:00:00 2001
From: swachchhanda000 <swachchhandashrawan@gmail.com>
Date: Tue, 15 Apr 2025 11:22:55 +0545
Subject: [PATCH 2/2] fix: linting

---
 sysmonconfig-export-block.xml | 2 +-
 sysmonconfig-export.xml       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/sysmonconfig-export-block.xml b/sysmonconfig-export-block.xml
index e5a873ff..f36f5080 100644
--- a/sysmonconfig-export-block.xml
+++ b/sysmonconfig-export-block.xml
@@ -791,7 +791,7 @@
 			<Image name="Suspicious,ImageBeginWithBackslash" condition="begin with">\</Image> <!--Devices and VSC shouldn't be executing changes | Credit: @SBousseaden @ionstorm @neu5ron @PerchedSystems [ https://twitter.com/SwiftOnSecurity/status/1133167323991486464 ] -->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject> <!--Microsoft:Windows:UAC: Detect malware changes to UAC prompt level-->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\</TargetObject> <!--Microsoft:Defender: Detect changes to Defender administrative settings to monitor for disablement-->
-            <TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows Defender\</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows Defender\</TargetObject>
 			<!--Windows trust architecture monitoring | Credit: @mattifestation-->
 			<!--ADDITIONAL REFERENCE: https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf-->
 			<TargetObject condition="contains">Microsoft\Cryptography\OID\</TargetObject> <!-- Important trust registry values to monitor -->
diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 5d76fcc6..e804b8ab 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -834,7 +834,7 @@
 			<Image name="Suspicious,ImageBeginWithBackslash" condition="begin with">\</Image> <!--Devices and VSC shouldn't be executing changes | Credit: @SBousseaden @ionstorm @neu5ron @PerchedSystems [ https://twitter.com/SwiftOnSecurity/status/1133167323991486464 ] -->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject> <!--Microsoft:Windows:UAC: Detect malware changes to UAC prompt level-->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\</TargetObject> <!--Microsoft:Defender: Detect changes to Defender administrative settings to monitor for disablement-->
-            <TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows Defender\</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows Defender\</TargetObject>
 			<!--Windows trust architecture monitoring | Credit: @mattifestation-->
 			<!--ADDITIONAL REFERENCE: https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf-->
 			<TargetObject condition="contains">Microsoft\Cryptography\OID\</TargetObject> <!-- Important trust registry values to monitor -->