From 313276d2942e7f3e14c0bc5e979547f03ad323ca Mon Sep 17 00:00:00 2001
From: Patrick Bareiss <pbareiss@splunk.com>
Date: Fri, 8 Nov 2024 11:59:22 +0100
Subject: [PATCH] Update data source for registry detections

---
 data_sources/sysmon_eventid_12.yml                        | 8 ++++++++
 detections/endpoint/active_setup_registry_autostart.yml   | 1 -
 .../allow_inbound_traffic_by_firewall_rule_registry.yml   | 1 -
 .../endpoint/allow_operation_with_consent_admin.yml       | 1 -
 detections/endpoint/auto_admin_logon_registry_entry.yml   | 1 -
 detections/endpoint/change_default_file_association.yml   | 1 -
 detections/endpoint/disable_amsi_through_registry.yml     | 1 -
 .../endpoint/disable_defender_antivirus_registry.yml      | 1 -
 .../disable_defender_blockatfirstseen_feature.yml         | 1 -
 .../endpoint/disable_defender_mpengine_registry.yml       | 1 -
 detections/endpoint/disable_defender_spynet_reporting.yml | 1 -
 .../disable_defender_submit_samples_consent_feature.yml   | 1 -
 detections/endpoint/disable_etw_through_registry.yml      | 1 -
 detections/endpoint/disable_registry_tool.yml             | 1 -
 .../disable_security_logs_using_minint_registry.yml       | 1 -
 detections/endpoint/disable_show_hidden_files.yml         | 1 -
 detections/endpoint/disable_uac_remote_restriction.yml    | 1 -
 detections/endpoint/disable_windows_app_hotkeys.yml       | 1 -
 .../endpoint/disable_windows_behavior_monitoring.yml      | 1 -
 .../endpoint/disable_windows_smartscreen_protection.yml   | 1 -
 detections/endpoint/disabling_cmd_application.yml         | 1 -
 detections/endpoint/disabling_controlpanel.yml            | 1 -
 detections/endpoint/disabling_defender_services.yml       | 1 -
 .../endpoint/disabling_folderoptions_windows_feature.yml  | 1 -
 detections/endpoint/disabling_norun_windows_app.yml       | 1 -
 .../endpoint/disabling_remote_user_account_control.yml    | 1 -
 .../endpoint/disabling_systemrestore_in_registry.yml      | 1 -
 detections/endpoint/disabling_task_manager.yml            | 1 -
 detections/endpoint/enable_rdp_in_other_port_number.yml   | 1 -
 .../enable_wdigest_uselogoncredential_registry.yml        | 1 -
 detections/endpoint/etw_registry_disabled.yml             | 1 -
 .../endpoint/hide_user_account_from_sign_in_screen.yml    | 1 -
 .../endpoint/monitor_registry_keys_for_print_monitors.yml | 1 -
 detections/endpoint/net_profiler_uac_bypass.yml           | 1 -
 .../endpoint/print_processor_registry_autostart.yml       | 1 -
 .../registry_keys_for_creating_shim_databases.yml         | 1 -
 .../endpoint/registry_keys_used_for_persistence.yml       | 1 -
 .../registry_keys_used_for_privilege_escalation.yml       | 1 -
 .../endpoint/screensaver_event_trigger_execution.yml      | 1 -
 .../endpoint/time_provider_persistence_registry.yml       | 1 -
 ...start_execution_lsass_driver_registry_modification.yml | 1 -
 .../windows_defender_exclusion_registry_entry.yml         | 1 -
 .../windows_disable_change_password_through_registry.yml  | 1 -
 ..._disable_lock_workstation_feature_through_registry.yml | 1 -
 .../windows_disable_logoff_button_through_registry.yml    | 1 -
 detections/endpoint/windows_disable_memory_crash_dump.yml | 1 -
 .../endpoint/windows_disable_notification_center.yml      | 1 -
 .../windows_disable_shutdown_button_through_registry.yml  | 1 -
 ...ble_windows_group_policy_features_through_registry.yml | 1 -
 .../endpoint/windows_disableantispyware_registry.yml      | 1 -
 .../windows_enable_win32_scheduledjob_via_registry.yml    | 1 -
 ...indows_hide_notification_features_through_registry.yml | 1 -
 ...defense_change_win_defender_health_check_intervals.yml | 1 -
 ...ir_defense_change_win_defender_quick_scan_interval.yml | 1 -
 ...s_impair_defense_change_win_defender_throttle_rate.yml | 1 -
 ...s_impair_defense_change_win_defender_tracing_level.yml | 1 -
 ...ndows_impair_defense_configure_app_install_control.yml | 1 -
 ...s_impair_defense_define_win_defender_threat_action.yml | 1 -
 ...ws_impair_defense_delete_win_defender_context_menu.yml | 1 -
 ...mpair_defense_delete_win_defender_profile_registry.yml | 1 -
 ...pair_defense_deny_security_software_with_applocker.yml | 1 -
 ...ws_impair_defense_disable_controlled_folder_access.yml | 1 -
 ...pair_defense_disable_defender_firewall_and_network.yml | 1 -
 ...pair_defense_disable_defender_protocol_recognition.yml | 1 -
 .../windows_impair_defense_disable_pua_protection.yml     | 1 -
 ...impair_defense_disable_realtime_signature_delivery.yml | 1 -
 .../windows_impair_defense_disable_web_evaluation.yml     | 1 -
 ...dows_impair_defense_disable_win_defender_app_guard.yml | 1 -
 ...r_defense_disable_win_defender_compute_file_hashes.yml | 1 -
 ...ws_impair_defense_disable_win_defender_gen_reports.yml | 1 -
 ...ir_defense_disable_win_defender_network_protection.yml | 1 -
 ...pair_defense_disable_win_defender_report_infection.yml | 1 -
 ...impair_defense_disable_win_defender_scan_on_update.yml | 1 -
 ..._defense_disable_win_defender_signature_retirement.yml | 1 -
 ...mpair_defense_overide_win_defender_phishing_filter.yml | 1 -
 ...windows_impair_defense_override_smartscreen_prompt.yml | 1 -
 ...efense_set_win_defender_smart_screen_level_to_warn.yml | 1 -
 .../endpoint/windows_impair_defenses_disable_hvci.yml     | 1 -
 ..._impair_defenses_disable_win_defender_auto_logging.yml | 1 -
 .../endpoint/windows_lsa_secrets_nolmhash_registry.yml    | 1 -
 ...indows_modify_registry_authenticationleveloverride.yml | 1 -
 .../windows_modify_registry_auto_minor_updates.yml        | 1 -
 .../windows_modify_registry_auto_update_notif.yml         | 1 -
 .../windows_modify_registry_default_icon_setting.yml      | 1 -
 .../windows_modify_registry_disable_restricted_admin.yml  | 1 -
 ...indows_modify_registry_disable_toast_notifications.yml | 1 -
 ...dify_registry_disable_win_defender_raw_write_notif.yml | 1 -
 ..._modify_registry_disable_windefender_notifications.yml | 1 -
 ...ify_registry_disable_windows_security_center_notif.yml | 1 -
 ...dows_modify_registry_disableremotedesktopantialias.yml | 1 -
 .../windows_modify_registry_disablesecuritysettings.yml   | 1 -
 .../windows_modify_registry_disabling_wer_settings.yml    | 1 -
 .../windows_modify_registry_disallow_windows_app.yml      | 1 -
 ...ndows_modify_registry_do_not_connect_to_win_update.yml | 1 -
 .../endpoint/windows_modify_registry_dontshowui.yml       | 1 -
 .../windows_modify_registry_enablelinkedconnections.yml   | 1 -
 .../endpoint/windows_modify_registry_longpathsenabled.yml | 1 -
 .../windows_modify_registry_maxconnectionperserver.yml    | 1 -
 ...ows_modify_registry_no_auto_reboot_with_logon_user.yml | 1 -
 .../endpoint/windows_modify_registry_no_auto_update.yml   | 1 -
 .../windows_modify_registry_nochangingwallpaper.yml       | 1 -
 .../endpoint/windows_modify_registry_proxyenable.yml      | 1 -
 .../endpoint/windows_modify_registry_proxyserver.yml      | 1 -
 ...indows_modify_registry_suppress_win_defender_notif.yml | 1 -
 .../windows_modify_registry_tamper_protection.yml         | 1 -
 ...ows_modify_registry_to_add_or_modify_firewall_rule.yml | 1 -
 .../windows_modify_registry_updateserviceurlalternate.yml | 1 -
 .../endpoint/windows_modify_registry_usewuserver.yml      | 1 -
 .../windows_modify_registry_valleyrat_c2_config.yml       | 1 -
 .../windows_modify_registry_with_md5_reg_key_name.yml     | 1 -
 detections/endpoint/windows_modify_registry_wuserver.yml  | 1 -
 .../endpoint/windows_modify_registry_wustatusserver.yml   | 1 -
 ...s_modify_show_compress_color_and_info_tip_registry.yml | 1 -
 .../endpoint/windows_mshta_execution_in_registry.yml      | 1 -
 .../windows_njrat_fileless_storage_via_registry.yml       | 1 -
 .../windows_phishing_recent_iso_exec_registry.yml         | 1 -
 detections/endpoint/windows_proxy_via_registry.yml        | 1 -
 .../windows_registry_bootexecute_modification.yml         | 1 -
 .../endpoint/windows_registry_certificate_added.yml       | 1 -
 detections/endpoint/windows_registry_delete_task_sd.yml   | 1 -
 ...ws_registry_modification_for_safe_mode_persistence.yml | 1 -
 .../windows_registry_sip_provider_modification.yml        | 1 -
 .../windows_remote_access_software_rms_registry.yml       | 1 -
 .../windows_remote_services_allow_remote_assistance.yml   | 1 -
 .../endpoint/windows_remote_services_rdp_enable.yml       | 1 -
 .../windows_service_creation_using_registry_entry.yml     | 1 -
 .../endpoint/windows_service_deletion_in_registry.yml     | 1 -
 ..._malware_registry_modification_wav_openwithprogids.yml | 1 -
 128 files changed, 8 insertions(+), 127 deletions(-)

diff --git a/data_sources/sysmon_eventid_12.yml b/data_sources/sysmon_eventid_12.yml
index 232ca47a23..f1ba265850 100644
--- a/data_sources/sysmon_eventid_12.yml
+++ b/data_sources/sysmon_eventid_12.yml
@@ -87,6 +87,14 @@ fields:
 - timestartpos
 - user_id
 - vendor_product
+field_mappings:
+- data_model: cim
+  data_set: Endpoint.Registry
+  mapping:
+    Computer: Registry.dest
+    ProcessGuid: Registry.process_guid
+    ProcessId: Registry.process_id
+    TargetObject: Registry.registry_path
 example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
   Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>12</EventID><Version>2</Version><Level>4</Level><Task>12</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
   SystemTime='2021-07-12T08:10:32.607068200Z'/><EventRecordID>1055579</EventRecordID><Correlation/><Execution
diff --git a/detections/endpoint/active_setup_registry_autostart.yml b/detections/endpoint/active_setup_registry_autostart.yml
index 2fa39a396c..94eda7e2fa 100644
--- a/detections/endpoint/active_setup_registry_autostart.yml
+++ b/detections/endpoint/active_setup_registry_autostart.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic detects suspicious modifications to the Active Setup registry for persistence and privilege escalation. It leverages data from the Endpoint.Registry data model, focusing on changes to the "StubPath" value within the "SOFTWARE\\Microsoft\\Active Setup\\Installed Components" path. This activity is significant as it is commonly used by malware, adware, and APTs to maintain persistence on compromised machines. If confirmed malicious, this could allow attackers to execute code upon system startup, potentially leading to further system compromise and unauthorized access.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_value_name= "StubPath" Registry.registry_path = "*\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components*") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `active_setup_registry_autostart_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709
diff --git a/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml b/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml
index 711f6b3519..86ab2c8a97 100644
--- a/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml
+++ b/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic detects suspicious modifications to firewall rule registry settings that allow inbound traffic on specific ports with a public profile. It leverages data from the Endpoint.Registry data model, focusing on registry paths and values indicative of such changes. This activity is significant as it may indicate an adversary attempting to grant remote access to a machine by modifying firewall rules. If confirmed malicious, this could enable unauthorized remote access, potentially leading to further exploitation, data exfiltration, or lateral movement within the network.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\*" Registry.registry_value_data = "*|Action=Allow|*" Registry.registry_value_data = "*|Dir=In|*"  Registry.registry_value_data = "*|LPort=*") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid  Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_inbound_traffic_by_firewall_rule_registry_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709
diff --git a/detections/endpoint/allow_operation_with_consent_admin.yml b/detections/endpoint/allow_operation_with_consent_admin.yml
index c01adf1400..193970393a 100644
--- a/detections/endpoint/allow_operation_with_consent_admin.yml
+++ b/detections/endpoint/allow_operation_with_consent_admin.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic detects a registry modification that allows the 'Consent Admin' to perform operations requiring elevation without user consent or credentials. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the 'ConsentPromptBehaviorAdmin' value within the Windows Policies System registry path. This activity is significant as it indicates a potential privilege escalation attempt, which could allow an attacker to execute high-privilege tasks without user approval. If confirmed malicious, this could lead to unauthorized administrative access and control over the compromised machine, posing a severe security risk.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\Microsoft\\Windows\\CurrentVersion\\Policies\\System*" Registry.registry_value_name = ConsentPromptBehaviorAdmin Registry.registry_value_data = "0x00000000") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_operation_with_consent_admin_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709
diff --git a/detections/endpoint/auto_admin_logon_registry_entry.yml b/detections/endpoint/auto_admin_logon_registry_entry.yml
index 1e5758ac7e..f9cf8a3e48 100644
--- a/detections/endpoint/auto_admin_logon_registry_entry.yml
+++ b/detections/endpoint/auto_admin_logon_registry_entry.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic detects a suspicious registry modification that enables auto admin logon on a host. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the "AutoAdminLogon" value within the "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon" registry path. This activity is significant because it was observed in BlackMatter ransomware attacks to maintain access after a safe mode reboot, facilitating further encryption. If confirmed malicious, this could allow attackers to automatically log in and continue their operations, potentially leading to widespread network encryption and data loss.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*" AND Registry.registry_value_name=AutoAdminLogon AND Registry.registry_value_data=1) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `auto_admin_logon_registry_entry_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709
diff --git a/detections/endpoint/change_default_file_association.yml b/detections/endpoint/change_default_file_association.yml
index 3335247e61..950da24500 100644
--- a/detections/endpoint/change_default_file_association.yml
+++ b/detections/endpoint/change_default_file_association.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic detects suspicious registry modifications that change the default file association to execute a malicious payload. It leverages data from the Endpoint data model, specifically monitoring registry paths under "*\\shell\\open\\command\\*" and "*HKCR\\*". This activity is significant because altering default file associations can allow attackers to execute arbitrary scripts or payloads when a user opens a file, leading to potential code execution. If confirmed malicious, this technique can enable attackers to persist on the compromised host and execute further malicious commands, posing a severe threat to the environment.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count  min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path ="*\\shell\\open\\command\\*" Registry.registry_path = "*HKCR\\*" by Registry.dest  Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `change_default_file_association_filter`'
 how_to_implement: To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.
diff --git a/detections/endpoint/disable_amsi_through_registry.yml b/detections/endpoint/disable_amsi_through_registry.yml
index d25c1b21a6..230c4a4d96 100644
--- a/detections/endpoint/disable_amsi_through_registry.yml
+++ b/detections/endpoint/disable_amsi_through_registry.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic detects modifications to the Windows registry that disable the Antimalware Scan Interface (AMSI) by setting the "AmsiEnable" value to "0x00000000". This detection leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path "*\\SOFTWARE\\Microsoft\\Windows Script\\Settings\\AmsiEnable". Disabling AMSI is significant as it is a common technique used by ransomware, Remote Access Trojans (RATs), and Advanced Persistent Threats (APTs) to evade detection and impair defenses. If confirmed malicious, this activity could allow attackers to execute payloads with minimal alerts, leading to potential system compromise and data exfiltration.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows Script\\Settings\\AmsiEnable" Registry.registry_value_data = "0x00000000") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_amsi_through_registry_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709
diff --git a/detections/endpoint/disable_defender_antivirus_registry.yml b/detections/endpoint/disable_defender_antivirus_registry.yml
index 0341c5ae1f..191fc71d60 100644
--- a/detections/endpoint/disable_defender_antivirus_registry.yml
+++ b/detections/endpoint/disable_defender_antivirus_registry.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic detects the modification of Windows Defender registry settings to disable antivirus and antispyware protections. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with Windows Defender policies. This activity is significant because disabling antivirus protections is a common tactic used by adversaries to evade detection and maintain persistence on compromised systems. If confirmed malicious, this action could allow attackers to execute further malicious activities undetected, leading to potential data breaches, system compromise, and further propagation of malware within the network.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Policies\\Microsoft\\Windows Defender*" Registry.registry_value_name IN ("DisableAntiSpyware","DisableAntiVirus") Registry.registry_value_data = 0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_antivirus_registry_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709
diff --git a/detections/endpoint/disable_defender_blockatfirstseen_feature.yml b/detections/endpoint/disable_defender_blockatfirstseen_feature.yml
index 1d3086be8c..dcd5f7815a 100644
--- a/detections/endpoint/disable_defender_blockatfirstseen_feature.yml
+++ b/detections/endpoint/disable_defender_blockatfirstseen_feature.yml
@@ -6,7 +6,6 @@ author: Steven Dick, Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects the modification of the Windows registry to disable the Windows Defender BlockAtFirstSeen feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path associated with Windows Defender SpyNet and the DisableBlockAtFirstSeen value. This activity is significant because disabling this feature can allow malicious files to bypass initial detection by Windows Defender, increasing the risk of malware infection. If confirmed malicious, this action could enable attackers to execute malicious code undetected, leading to potential system compromise and data breaches.
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Microsoft\\Windows Defender\\SpyNet*" Registry.registry_value_name = DisableBlockAtFirstSeen Registry.registry_value_data = 0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_blockatfirstseen_feature_filter`'
diff --git a/detections/endpoint/disable_defender_mpengine_registry.yml b/detections/endpoint/disable_defender_mpengine_registry.yml
index 4fe332730f..4ecf590356 100644
--- a/detections/endpoint/disable_defender_mpengine_registry.yml
+++ b/detections/endpoint/disable_defender_mpengine_registry.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic detects the modification of the Windows Defender MpEngine registry value, specifically setting MpEnablePus to 0x00000000. This detection leverages endpoint registry logs, focusing on changes within the path "*\\Policies\\Microsoft\\Windows Defender\\MpEngine*". This activity is significant as it indicates an attempt to disable key Windows Defender features, potentially allowing malware to evade detection. If confirmed malicious, this could lead to undetected malware execution, persistence, and further system compromise. Immediate investigation and endpoint isolation are recommended.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Policies\\Microsoft\\Windows Defender\\MpEngine*" Registry.registry_value_name = MpEnablePus Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_mpengine_registry_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709
diff --git a/detections/endpoint/disable_defender_spynet_reporting.yml b/detections/endpoint/disable_defender_spynet_reporting.yml
index 2470388229..4e25ac8ef6 100644
--- a/detections/endpoint/disable_defender_spynet_reporting.yml
+++ b/detections/endpoint/disable_defender_spynet_reporting.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic detects the modification of the registry to disable Windows Defender SpyNet reporting. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path associated with Windows Defender SpyNet settings. This activity is significant because disabling SpyNet reporting can prevent Windows Defender from sending telemetry data, potentially allowing malicious activities to go undetected. If confirmed malicious, this action could enable an attacker to evade detection, maintain persistence, and carry out further attacks without being flagged by Windows Defender.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Microsoft\\Windows Defender\\SpyNet*" Registry.registry_value_name = SpynetReporting Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest  | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_spynet_reporting_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709
diff --git a/detections/endpoint/disable_defender_submit_samples_consent_feature.yml b/detections/endpoint/disable_defender_submit_samples_consent_feature.yml
index 761cc8ba4a..414bfc9803 100644
--- a/detections/endpoint/disable_defender_submit_samples_consent_feature.yml
+++ b/detections/endpoint/disable_defender_submit_samples_consent_feature.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic detects the modification of the Windows registry to disable the Windows Defender Submit Samples Consent feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path associated with Windows Defender SpyNet and the SubmitSamplesConsent value set to 0x00000000. This activity is significant as it indicates an attempt to bypass or evade detection by preventing Windows Defender from submitting samples for further analysis. If confirmed malicious, this could allow an attacker to execute malicious code without being detected by Windows Defender, leading to potential system compromise.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Microsoft\\Windows Defender\\SpyNet*" Registry.registry_value_name = SubmitSamplesConsent Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_submit_samples_consent_feature_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709
diff --git a/detections/endpoint/disable_etw_through_registry.yml b/detections/endpoint/disable_etw_through_registry.yml
index ccdf872f76..191110f826 100644
--- a/detections/endpoint/disable_etw_through_registry.yml
+++ b/detections/endpoint/disable_etw_through_registry.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic detects modifications to the registry that disable the Event Tracing for Windows (ETW) feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path "*\\SOFTWARE\\Microsoft\\.NETFramework\\ETWEnabled" with a value set to "0x00000000". This activity is significant because disabling ETW can allow attackers to evade detection mechanisms, making it harder for security tools to monitor malicious activities. If confirmed malicious, this could enable attackers to execute payloads with minimal alerts, impairing defenses and potentially leading to further compromise of the system.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\.NETFramework\\ETWEnabled" Registry.registry_value_data = "0x00000000") BY _time span=1h Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_etw_through_registry_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709
diff --git a/detections/endpoint/disable_registry_tool.yml b/detections/endpoint/disable_registry_tool.yml
index bfea40724a..696565c36c 100644
--- a/detections/endpoint/disable_registry_tool.yml
+++ b/detections/endpoint/disable_registry_tool.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic detects modifications to the Windows registry aimed at disabling the Registry Editor (regedit). It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools" with a value of "0x00000001". This activity is significant because malware, such as RATs or trojans, often disable registry tools to prevent the removal of their entries, aiding in persistence and defense evasion. If confirmed malicious, this could hinder incident response efforts and allow the attacker to maintain control over the compromised system.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools" Registry.registry_value_data = "0x00000001") BY _time span=1h  Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_registry_tool_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709
diff --git a/detections/endpoint/disable_security_logs_using_minint_registry.yml b/detections/endpoint/disable_security_logs_using_minint_registry.yml
index 33ece190e0..6f0393111b 100644
--- a/detections/endpoint/disable_security_logs_using_minint_registry.yml
+++ b/detections/endpoint/disable_security_logs_using_minint_registry.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic detects a suspicious registry modification aimed at disabling security audit logs by adding a specific registry entry. It leverages data from the Endpoint.Registry data model, focusing on changes to the "Control\\MiniNt" registry path. This activity is significant because it can prevent Windows from logging any events to the Security Log, effectively blinding security monitoring efforts. If confirmed malicious, this technique could allow an attacker to operate undetected, making it difficult to trace their actions and compromising the integrity of security audits.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\Control\\MiniNt\\*") BY _time span=1h  Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_security_logs_using_minint_registry_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709
diff --git a/detections/endpoint/disable_show_hidden_files.yml b/detections/endpoint/disable_show_hidden_files.yml
index c9298d6d3b..4d701c06b7 100644
--- a/detections/endpoint/disable_show_hidden_files.yml
+++ b/detections/endpoint/disable_show_hidden_files.yml
@@ -7,7 +7,6 @@ status: production
 type: Anomaly
 description: The following analytic detects modifications to the Windows registry that disable the display of hidden files. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with hidden file settings. This activity is significant because malware, such as worms and trojan spyware, often use hidden files to evade detection. If confirmed malicious, this behavior could allow an attacker to conceal malicious files on the system, making it harder for security tools and analysts to identify and remove the threat.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden" OR (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt" Registry.registry_value_data = "0x00000001") OR (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden" Registry.registry_value_data = "0x00000000" )) BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_show_hidden_files_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709
diff --git a/detections/endpoint/disable_uac_remote_restriction.yml b/detections/endpoint/disable_uac_remote_restriction.yml
index 98932c8427..135e4a71b0 100644
--- a/detections/endpoint/disable_uac_remote_restriction.yml
+++ b/detections/endpoint/disable_uac_remote_restriction.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic detects the modification of the registry to disable UAC remote restriction by setting the "LocalAccountTokenFilterPolicy" value to "0x00000001". It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path "*\\CurrentVersion\\Policies\\System*". This activity is significant because disabling UAC remote restriction can allow an attacker to bypass User Account Control (UAC) protections, potentially leading to privilege escalation. If confirmed malicious, this could enable an attacker to execute unauthorized actions with elevated privileges, compromising the security of the affected system.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\CurrentVersion\\Policies\\System*" Registry.registry_value_name="LocalAccountTokenFilterPolicy" Registry.registry_value_data="0x00000001"  ) BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_uac_remote_restriction_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709
diff --git a/detections/endpoint/disable_windows_app_hotkeys.yml b/detections/endpoint/disable_windows_app_hotkeys.yml
index 6f2b6d4d83..c230b656ce 100644
--- a/detections/endpoint/disable_windows_app_hotkeys.yml
+++ b/detections/endpoint/disable_windows_app_hotkeys.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic detects a suspicious registry modification aimed at disabling Windows hotkeys for native applications. It leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values indicative of this behavior. This activity is significant as it can impair an analyst's ability to use essential tools like Task Manager and Command Prompt, hindering incident response efforts. If confirmed malicious, this technique can allow an attacker to maintain persistence and evade detection, complicating the remediation process.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\Windows NT\\CurrentVersion\\Image File Execution Options\\*" AND Registry.registry_value_data= "HotKey Disabled" AND Registry.registry_value_name = "Debugger") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_app_hotkeys_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709
diff --git a/detections/endpoint/disable_windows_behavior_monitoring.yml b/detections/endpoint/disable_windows_behavior_monitoring.yml
index fd74332131..098df8e4a2 100644
--- a/detections/endpoint/disable_windows_behavior_monitoring.yml
+++ b/detections/endpoint/disable_windows_behavior_monitoring.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic identifies modifications in the registry to disable Windows Defender's real-time behavior monitoring. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with Windows Defender settings. This activity is significant because disabling real-time protection is a common tactic used by malware such as RATs, bots, or Trojans to evade detection. If confirmed malicious, this action could allow an attacker to execute code, escalate privileges, or persist in the environment without being detected by antivirus software.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableBehaviorMonitoring" OR Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableOnAccessProtection" OR Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableScanOnRealtimeEnable" OR Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableRealtimeMonitoring" OR Registry.registry_path= "*\\Real-Time Protection\\DisableIntrusionPreventionSystem" OR Registry.registry_path= "*\\Real-Time Protection\\DisableIOAVProtection" OR Registry.registry_path= "*\\Real-Time Protection\\DisableScriptScanning" AND Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_behavior_monitoring_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709
diff --git a/detections/endpoint/disable_windows_smartscreen_protection.yml b/detections/endpoint/disable_windows_smartscreen_protection.yml
index f80a923281..ef34bb4bae 100644
--- a/detections/endpoint/disable_windows_smartscreen_protection.yml
+++ b/detections/endpoint/disable_windows_smartscreen_protection.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic detects modifications to the Windows registry that disable SmartScreen protection. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with SmartScreen settings. This activity is significant because SmartScreen provides an early warning system against phishing and malware. Disabling it can indicate malicious intent, often seen in Remote Access Trojans (RATs) to evade detection while downloading additional payloads. If confirmed malicious, this action could allow attackers to bypass security measures, increasing the risk of successful phishing attacks and malware infections.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path IN ("*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SmartScreenEnabled", "*\\Microsoft\\Windows\\System\\EnableSmartScreen") Registry.registry_value_data  IN ("Off", "0") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_smartscreen_protection_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709
diff --git a/detections/endpoint/disabling_cmd_application.yml b/detections/endpoint/disabling_cmd_application.yml
index c2fbe69a2b..4fe0f7e94f 100644
--- a/detections/endpoint/disabling_cmd_application.yml
+++ b/detections/endpoint/disabling_cmd_application.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic detects modifications to the registry that disable the CMD prompt application. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the "DisableCMD" registry value. This activity is significant because disabling CMD can hinder an analyst's ability to investigate and remediate threats, a tactic often used by malware such as RATs, Trojans, or Worms. If confirmed malicious, this could prevent security teams from using CMD for directory and file traversal, complicating incident response and allowing the attacker to maintain persistence.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\DisableCMD" Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_cmd_application_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709
diff --git a/detections/endpoint/disabling_controlpanel.yml b/detections/endpoint/disabling_controlpanel.yml
index 641b9b611a..20f8a084ad 100644
--- a/detections/endpoint/disabling_controlpanel.yml
+++ b/detections/endpoint/disabling_controlpanel.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic detects registry modifications that disable the Control Panel on Windows systems. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel" with a value of "0x00000001". This activity is significant as it is commonly used by malware to prevent users from accessing the Control Panel, thereby hindering the removal of malicious artifacts and persistence mechanisms. If confirmed malicious, this could allow attackers to maintain control over the infected machine and prevent remediation efforts.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel" Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_controlpanel_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709
diff --git a/detections/endpoint/disabling_defender_services.yml b/detections/endpoint/disabling_defender_services.yml
index 51c7effed0..b0ec65acc8 100644
--- a/detections/endpoint/disabling_defender_services.yml
+++ b/detections/endpoint/disabling_defender_services.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic detects the disabling of Windows Defender services by monitoring registry modifications. It leverages registry event data to identify changes to specific registry paths associated with Defender services, where the 'Start' value is set to '0x00000004'. This activity is significant because disabling Defender services can indicate an attempt by an adversary to evade detection and maintain persistence on the endpoint. If confirmed malicious, this action could allow attackers to execute further malicious activities undetected, leading to potential data breaches or system compromise.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\System\\CurrentControlSet\\Services\\*" AND (Registry.registry_path IN("*WdBoot*", "*WdFilter*", "*WdNisDrv*", "*WdNisSvc*","*WinDefend*", "*SecurityHealthService*")) AND Registry.registry_value_name = Start Registry.registry_value_data = 0x00000004) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_defender_services_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709
diff --git a/detections/endpoint/disabling_folderoptions_windows_feature.yml b/detections/endpoint/disabling_folderoptions_windows_feature.yml
index b1acc1f67b..4a0b141068 100644
--- a/detections/endpoint/disabling_folderoptions_windows_feature.yml
+++ b/detections/endpoint/disabling_folderoptions_windows_feature.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic detects the modification of the Windows registry to disable the Folder Options feature, which prevents users from showing hidden files and file extensions. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoFolderOptions" with a value of "0x00000001". This activity is significant as it is commonly used by malware to conceal malicious files and deceive users with fake file extensions. If confirmed malicious, this could allow an attacker to hide their presence and malicious files, making detection and remediation more difficult.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoFolderOptions" Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_folderoptions_windows_feature_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709
diff --git a/detections/endpoint/disabling_norun_windows_app.yml b/detections/endpoint/disabling_norun_windows_app.yml
index 917c9bddea..b1c0386ec0 100644
--- a/detections/endpoint/disabling_norun_windows_app.yml
+++ b/detections/endpoint/disabling_norun_windows_app.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic detects the modification of the Windows registry to disable the Run application in the Start menu. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoRun" with a value of "0x00000001". This activity is significant because the Run application is a useful shortcut for executing known applications and scripts. If confirmed malicious, this action could hinder system cleaning efforts and make it more difficult to run essential tools, thereby aiding malware persistence.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoRun" Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_norun_windows_app_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709
diff --git a/detections/endpoint/disabling_remote_user_account_control.yml b/detections/endpoint/disabling_remote_user_account_control.yml
index eebf924779..b213d1d992 100644
--- a/detections/endpoint/disabling_remote_user_account_control.yml
+++ b/detections/endpoint/disabling_remote_user_account_control.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic identifies modifications to the registry key that controls the enforcement of Windows User Account Control (UAC). It detects changes to the registry path `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA` where the value is set to `0x00000000`. This activity is significant because disabling UAC can allow unauthorized changes to the system without user consent, potentially leading to privilege escalation. If confirmed malicious, an attacker could gain elevated privileges, making it easier to execute further attacks or maintain persistence within the environment.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path=*HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA* Registry.registry_value_data="0x00000000" by Registry.dest, Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action | `drop_dm_object_name(Registry)` | `disabling_remote_user_account_control_filter`'
 how_to_implement: To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report registry modifications.
diff --git a/detections/endpoint/disabling_systemrestore_in_registry.yml b/detections/endpoint/disabling_systemrestore_in_registry.yml
index 6cc378c606..ead31a71ff 100644
--- a/detections/endpoint/disabling_systemrestore_in_registry.yml
+++ b/detections/endpoint/disabling_systemrestore_in_registry.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic detects the modification of registry keys to disable System Restore on a machine. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with System Restore settings. This activity is significant because disabling System Restore can hinder recovery efforts and is a tactic often used by Remote Access Trojans (RATs) to maintain persistence on an infected system. If confirmed malicious, this action could prevent system recovery, allowing the attacker to sustain their foothold and potentially cause further damage or data loss.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\DisableSR" OR Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\DisableConfig" OR Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\\DisableSR" OR Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\\DisableConfig" Registry.registry_value_data = "0x00000001") BY _time span=1h  Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_systemrestore_in_registry_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709
diff --git a/detections/endpoint/disabling_task_manager.yml b/detections/endpoint/disabling_task_manager.yml
index 4b27343d5a..13e745d254 100644
--- a/detections/endpoint/disabling_task_manager.yml
+++ b/detections/endpoint/disabling_task_manager.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic identifies modifications to the Windows registry that disable Task Manager. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the registry path "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableTaskMgr" with a value of "0x00000001". This activity is significant as it is commonly associated with malware such as RATs, Trojans, and worms, which disable Task Manager to prevent users from terminating malicious processes. If confirmed malicious, this could allow attackers to maintain persistence and control over the infected system.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableTaskMgr" Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_task_manager_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709
diff --git a/detections/endpoint/enable_rdp_in_other_port_number.yml b/detections/endpoint/enable_rdp_in_other_port_number.yml
index 7de728a29d..4d6e94bad4 100644
--- a/detections/endpoint/enable_rdp_in_other_port_number.yml
+++ b/detections/endpoint/enable_rdp_in_other_port_number.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic detects modifications to the registry that enable RDP on a machine using a non-default port number. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" and the "PortNumber" value. This activity is significant as attackers often modify RDP settings to facilitate lateral movement and maintain remote access to compromised systems. If confirmed malicious, this could allow attackers to bypass network defenses, gain persistent access, and potentially control the compromised machine.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp*" Registry.registry_value_name = "PortNumber") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `enable_rdp_in_other_port_number_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709
diff --git a/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml b/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml
index 4c84a247ea..b1f28b7583 100644
--- a/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml
+++ b/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic detects a suspicious registry modification that enables the plain text credential feature in Windows by setting the "UseLogonCredential" value to 1 in the WDigest registry path. This detection leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values. This activity is significant because it is commonly used by malware and tools like Mimikatz to dump plain text credentials, indicating a potential credential dumping attempt. If confirmed malicious, this could allow an attacker to obtain sensitive credentials, leading to further compromise and lateral movement within the network.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\System\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\\*" Registry.registry_value_name = "UseLogonCredential" Registry.registry_value_data=0x00000001) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `enable_wdigest_uselogoncredential_registry_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709
diff --git a/detections/endpoint/etw_registry_disabled.yml b/detections/endpoint/etw_registry_disabled.yml
index 46e1f8d46e..024209c7e6 100644
--- a/detections/endpoint/etw_registry_disabled.yml
+++ b/detections/endpoint/etw_registry_disabled.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic detects a registry modification that disables the Event Tracing for Windows (ETW) feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the ETWEnabled registry value under the .NETFramework path. This activity is significant because disabling ETW can allow attackers to evade Endpoint Detection and Response (EDR) tools and hide their execution from audit logs. If confirmed malicious, this action could enable attackers to operate undetected, potentially leading to further compromise and persistent access within the environment.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\SOFTWARE\\Microsoft\\.NETFramework*" Registry.registry_value_name = ETWEnabled Registry.registry_value_data=0x00000000) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `etw_registry_disabled_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709
diff --git a/detections/endpoint/hide_user_account_from_sign_in_screen.yml b/detections/endpoint/hide_user_account_from_sign_in_screen.yml
index 75f768007b..a1597e7173 100644
--- a/detections/endpoint/hide_user_account_from_sign_in_screen.yml
+++ b/detections/endpoint/hide_user_account_from_sign_in_screen.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic detects a suspicious registry modification that hides a user account from the Windows Login screen. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path "*\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist*" with a value of "0x00000000". This activity is significant as it may indicate an adversary attempting to create a hidden admin account to avoid detection and maintain persistence on the compromised machine. If confirmed malicious, this could allow the attacker to maintain undetected access and control over the system, posing a severe security risk.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist*" AND Registry.registry_value_data = "0x00000000") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `hide_user_account_from_sign_in_screen_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709
diff --git a/detections/endpoint/monitor_registry_keys_for_print_monitors.yml b/detections/endpoint/monitor_registry_keys_for_print_monitors.yml
index 4d2dba7079..f4e2519ef6 100644
--- a/detections/endpoint/monitor_registry_keys_for_print_monitors.yml
+++ b/detections/endpoint/monitor_registry_keys_for_print_monitors.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic detects modifications to the registry key `HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors`. It leverages data from the Endpoint.Registry data model, focusing on events where the registry path is modified. This activity is significant because attackers can exploit this registry key to load arbitrary .dll files, which will execute with elevated SYSTEM permissions and persist after a reboot. If confirmed malicious, this could allow attackers to maintain persistence, execute code with high privileges, and potentially compromise the entire system.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.action=modified AND Registry.registry_path="*CurrentControlSet\\Control\\Print\\Monitors*") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `monitor_registry_keys_for_print_monitors_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709
diff --git a/detections/endpoint/net_profiler_uac_bypass.yml b/detections/endpoint/net_profiler_uac_bypass.yml
index 7f1c8b993d..a3e9a90f2d 100644
--- a/detections/endpoint/net_profiler_uac_bypass.yml
+++ b/detections/endpoint/net_profiler_uac_bypass.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic detects modifications to the registry aimed at bypassing the User Account Control (UAC) feature in Windows. It identifies changes to the .NET COR_PROFILER_PATH registry key, which can be exploited to load a malicious DLL via mmc.exe. This detection leverages data from the Endpoint.Registry datamodel, focusing on specific registry paths and values. Monitoring this activity is crucial as it can indicate an attempt to escalate privileges or persist within the environment. If confirmed malicious, this could allow an attacker to execute arbitrary code with elevated privileges, compromising system integrity.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path= "*\\Environment\\COR_PROFILER_PATH" Registry.registry_value_data = "*.dll" by Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `net_profiler_uac_bypass_filter`'
 how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.
diff --git a/detections/endpoint/print_processor_registry_autostart.yml b/detections/endpoint/print_processor_registry_autostart.yml
index 745bfeb3a8..c0a6766b2f 100644
--- a/detections/endpoint/print_processor_registry_autostart.yml
+++ b/detections/endpoint/print_processor_registry_autostart.yml
@@ -7,7 +7,6 @@ status: experimental
 type: TTP
 description: The following analytic detects suspicious modifications or new entries in the Print Processor registry path. It leverages registry activity data from the Endpoint data model to identify changes in the specified registry path. This activity is significant because the Print Processor registry is known to be exploited by APT groups like Turla for persistence and privilege escalation. If confirmed malicious, this could allow an attacker to execute a malicious DLL payload by restarting the spoolsv.exe process, leading to potential control over the compromised machine.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count  min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path ="*\\Control\\Print\\Environments\\Windows x64\\Print Processors*" by Registry.dest  Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `print_processor_registry_autostart_filter`'
 how_to_implement: To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.
diff --git a/detections/endpoint/registry_keys_for_creating_shim_databases.yml b/detections/endpoint/registry_keys_for_creating_shim_databases.yml
index 73fea14729..ab5689721b 100644
--- a/detections/endpoint/registry_keys_for_creating_shim_databases.yml
+++ b/detections/endpoint/registry_keys_for_creating_shim_databases.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic detects registry activity related to the creation of application compatibility shims. It leverages data from the Endpoint.Registry data model, specifically monitoring registry paths associated with AppCompatFlags. This activity is significant because attackers can use shims to bypass security controls, achieve persistence, or escalate privileges. If confirmed malicious, this could allow an attacker to maintain long-term access, execute arbitrary code, or manipulate application behavior, posing a severe risk to the integrity and security of the affected systems.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=*CurrentVersion\\AppCompatFlags\\Custom* OR Registry.registry_path=*CurrentVersion\\AppCompatFlags\\InstalledSDB*) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_for_creating_shim_databases_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709
diff --git a/detections/endpoint/registry_keys_used_for_persistence.yml b/detections/endpoint/registry_keys_used_for_persistence.yml
index 7d91a58b07..80677f6c65 100644
--- a/detections/endpoint/registry_keys_used_for_persistence.yml
+++ b/detections/endpoint/registry_keys_used_for_persistence.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic identifies modifications to registry keys commonly used for persistence mechanisms. It leverages data from endpoint detection sources like Sysmon or Carbon Black, focusing on specific registry paths known to initiate applications or services during system startup. This activity is significant as unauthorized changes to these keys can indicate attempts to maintain persistence or execute malicious actions upon system boot. If confirmed malicious, this could allow attackers to achieve persistent access, execute arbitrary code, or maintain control over compromised systems, posing a severe threat to system integrity and security.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path=*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce OR Registry.registry_path=*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run OR Registry.registry_path= "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\*" OR Registry.registry_path= "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\*" OR Registry.registry_path=*\\currentversion\\run* OR Registry.registry_path=*\\currentVersion\\Windows\\Appinit_Dlls* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\Shell* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\Notify* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\Userinit* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\VmApplet* OR Registry.registry_path=*\\currentversion\\policies\\explorer\\run* OR Registry.registry_path=*\\currentversion\\runservices* OR Registry.registry_path=HKLM\\SOFTWARE\\Microsoft\\Netsh\\* OR Registry.registry_path= "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common Startup" OR Registry.registry_path= *\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SharedTaskScheduler OR Registry.registry_path= *\\Classes\\htmlfile\\shell\\open\\command OR (Registry.registry_path="*Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options*" AND Registry.registry_key_name=Debugger) OR (Registry.registry_path="*\\CurrentControlSet\\Control\\Lsa" AND Registry.registry_key_name="Security Packages") OR (Registry.registry_path="*\\CurrentControlSet\\Control\\Lsa\\OSConfig" AND Registry.registry_key_name="Security Packages") OR (Registry.registry_path="*\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*") OR (Registry.registry_path="*currentVersion\\Windows" AND Registry.registry_key_name="Load") OR (Registry.registry_path="*\\CurrentVersion" AND Registry.registry_key_name="Svchost") OR (Registry.registry_path="*\\CurrentControlSet\Control\Session Manager"AND Registry.registry_key_name="BootExecute") OR (Registry.registry_path="*\\Software\\Run" AND Registry.registry_key_name="auto_update")) by Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_used_for_persistence_filter`'
 how_to_implement: To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.
diff --git a/detections/endpoint/registry_keys_used_for_privilege_escalation.yml b/detections/endpoint/registry_keys_used_for_privilege_escalation.yml
index 37468ff183..c5785d97fd 100644
--- a/detections/endpoint/registry_keys_used_for_privilege_escalation.yml
+++ b/detections/endpoint/registry_keys_used_for_privilege_escalation.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic detects modifications to registry keys under "Image File Execution Options" that can be used for privilege escalation. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths and values like GlobalFlag and Debugger. This activity is significant because attackers can use these modifications to intercept executable calls and attach malicious binaries to legitimate system binaries. If confirmed malicious, this could allow attackers to execute arbitrary code with elevated privileges, leading to potential system compromise and persistent access.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path="*Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options*") AND (Registry.registry_value_name=GlobalFlag OR Registry.registry_value_name=Debugger)) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_used_for_privilege_escalation_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709
diff --git a/detections/endpoint/screensaver_event_trigger_execution.yml b/detections/endpoint/screensaver_event_trigger_execution.yml
index 8236fb45c7..80d2c33469 100644
--- a/detections/endpoint/screensaver_event_trigger_execution.yml
+++ b/detections/endpoint/screensaver_event_trigger_execution.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic detects modifications to the SCRNSAVE.EXE registry entry, indicating potential event trigger execution via screensaver settings for persistence or privilege escalation. It leverages registry activity data from the Endpoint data model to identify changes to the specified registry path. This activity is significant as it is a known technique used by APT groups and malware to maintain persistence or escalate privileges. If confirmed malicious, this could allow an attacker to execute arbitrary code with elevated privileges, leading to further system compromise and persistent access.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count  min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path="*\\Control Panel\\Desktop\\SCRNSAVE.EXE*") by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `screensaver_event_trigger_execution_filter`'
 how_to_implement: To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.
diff --git a/detections/endpoint/time_provider_persistence_registry.yml b/detections/endpoint/time_provider_persistence_registry.yml
index 16f1e81dea..4430fd92d0 100644
--- a/detections/endpoint/time_provider_persistence_registry.yml
+++ b/detections/endpoint/time_provider_persistence_registry.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic detects suspicious modifications to the time provider registry for persistence and autostart. It leverages data from the Endpoint.Registry data model, focusing on changes to the "CurrentControlSet\\Services\\W32Time\\TimeProviders" registry path. This activity is significant because such modifications are uncommon and can indicate an attempt to establish persistence on a compromised host. If confirmed malicious, this technique allows an attacker to maintain access and execute code automatically upon system boot, potentially leading to further exploitation and control over the affected system.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\CurrentControlSet\\Services\\W32Time\\TimeProviders*") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `time_provider_persistence_registry_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709
diff --git a/detections/endpoint/windows_autostart_execution_lsass_driver_registry_modification.yml b/detections/endpoint/windows_autostart_execution_lsass_driver_registry_modification.yml
index 0c04246d29..c6c85479dd 100644
--- a/detections/endpoint/windows_autostart_execution_lsass_driver_registry_modification.yml
+++ b/detections/endpoint/windows_autostart_execution_lsass_driver_registry_modification.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic detects modifications to undocumented registry keys that allow a DLL to load into lsass.exe, potentially capturing credentials. It leverages the Endpoint.Registry data model to identify changes to \CurrentControlSet\Services\NTDS\DirectoryServiceExtPt or \CurrentControlSet\Services\NTDS\LsaDbExtPt. This activity is significant as it indicates a possible attempt to inject malicious code into the Local Security Authority Subsystem Service (LSASS), which can lead to credential theft. If confirmed malicious, this could allow attackers to gain unauthorized access to sensitive information and escalate privileges within the environment.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path IN ("*\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt","*\\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt") by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_autostart_execution_lsass_driver_registry_modification_filter`'
 how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.
diff --git a/detections/endpoint/windows_defender_exclusion_registry_entry.yml b/detections/endpoint/windows_defender_exclusion_registry_entry.yml
index 1ac9985d12..5bc4fe689d 100644
--- a/detections/endpoint/windows_defender_exclusion_registry_entry.yml
+++ b/detections/endpoint/windows_defender_exclusion_registry_entry.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic detects modifications to the Windows Defender exclusion registry entries. It leverages endpoint registry data to identify changes in the registry path "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Exclusions\\*". This activity is significant because adversaries often modify these entries to bypass Windows Defender, allowing malicious code to execute without detection. If confirmed malicious, this behavior could enable attackers to evade antivirus defenses, maintain persistence, and execute further malicious activities undetected.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Exclusions\\*") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_defender_exclusion_registry_entry_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709
diff --git a/detections/endpoint/windows_disable_change_password_through_registry.yml b/detections/endpoint/windows_disable_change_password_through_registry.yml
index 388e9558db..95cdee4bc7 100644
--- a/detections/endpoint/windows_disable_change_password_through_registry.yml
+++ b/detections/endpoint/windows_disable_change_password_through_registry.yml
@@ -7,7 +7,6 @@ status: production
 type: Anomaly
 description: The following analytic detects a suspicious registry modification that disables the Change Password feature on a Windows host. It identifies changes to the registry path "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableChangePassword" with a value of "0x00000001". This activity is significant as it can prevent users from changing their passwords, a tactic often used by ransomware to maintain control over compromised systems. If confirmed malicious, this could hinder user response to an attack, allowing the attacker to persist and potentially escalate their access within the network.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableChangePassword" Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_change_password_through_registry_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709
diff --git a/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml b/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml
index cc98e22380..6a99fb3866 100644
--- a/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml
+++ b/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml
@@ -7,7 +7,6 @@ status: production
 type: Anomaly
 description: The following analytic detects a suspicious registry modification that disables the Lock Computer feature in Windows. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableLockWorkstation" with a value of "0x00000001". This activity is significant because it prevents users from locking their screens, a tactic often used by malware, including ransomware, to maintain control over compromised systems. If confirmed malicious, this could allow attackers to sustain their presence and execute further malicious actions without user interruption.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableLockWorkstation" Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_lock_workstation_feature_through_registry_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709
diff --git a/detections/endpoint/windows_disable_logoff_button_through_registry.yml b/detections/endpoint/windows_disable_logoff_button_through_registry.yml
index 1ec8cd17fc..883f423d4b 100644
--- a/detections/endpoint/windows_disable_logoff_button_through_registry.yml
+++ b/detections/endpoint/windows_disable_logoff_button_through_registry.yml
@@ -7,7 +7,6 @@ status: production
 type: Anomaly
 description: The following analytic detects a suspicious registry modification that disables the logoff feature on a Windows host. It leverages data from the Endpoint.Registry data model to identify changes to specific registry values associated with logoff functionality. This activity is significant because it can indicate ransomware attempting to make the compromised host unusable and hinder remediation efforts. If confirmed malicious, this action could prevent users from logging off, complicate incident response, and allow attackers to maintain persistence and control over the affected system.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\*" Registry.registry_value_name IN ("NoLogOff", "StartMenuLogOff") Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_logoff_button_through_registry_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709
diff --git a/detections/endpoint/windows_disable_memory_crash_dump.yml b/detections/endpoint/windows_disable_memory_crash_dump.yml
index 0e2affadac..83dddbadbf 100644
--- a/detections/endpoint/windows_disable_memory_crash_dump.yml
+++ b/detections/endpoint/windows_disable_memory_crash_dump.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic detects attempts to disable the memory crash dump feature on Windows systems by setting the registry value to 0. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the CrashDumpEnabled registry key. This activity is significant because disabling crash dumps can hinder forensic analysis and incident response efforts. If confirmed malicious, this action could be part of a broader attack strategy, such as data destruction or system destabilization, as seen with HermeticWiper, potentially leading to significant operational disruptions and data loss.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry where (Registry.registry_path="*\\CurrentControlSet\\Control\\CrashControl\\CrashDumpEnabled") AND Registry.registry_value_data="0x00000000" by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.registry_key_name  | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_memory_crash_dump_filter`'
 how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` and `Registry` node.
diff --git a/detections/endpoint/windows_disable_notification_center.yml b/detections/endpoint/windows_disable_notification_center.yml
index 562f6aa3e9..18220e60ca 100644
--- a/detections/endpoint/windows_disable_notification_center.yml
+++ b/detections/endpoint/windows_disable_notification_center.yml
@@ -7,7 +7,6 @@ status: production
 type: Anomaly
 description: The following analytic detects the modification of the Windows registry to disable the Notification Center on a host machine. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the "DisableNotificationCenter" registry value set to "0x00000001." This activity is significant because disabling the Notification Center can be a tactic used by RAT malware to hide its presence and subsequent actions. If confirmed malicious, this could allow an attacker to operate stealthily, potentially leading to further system compromise and data exfiltration.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_value_name= "DisableNotificationCenter" Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_notification_center_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709
diff --git a/detections/endpoint/windows_disable_shutdown_button_through_registry.yml b/detections/endpoint/windows_disable_shutdown_button_through_registry.yml
index e2dec3c377..8eeda76481 100644
--- a/detections/endpoint/windows_disable_shutdown_button_through_registry.yml
+++ b/detections/endpoint/windows_disable_shutdown_button_through_registry.yml
@@ -7,7 +7,6 @@ status: production
 type: Anomaly
 description: The following analytic detects suspicious registry modifications that disable the shutdown button on a user's logon screen. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with shutdown policies. This activity is significant because it is a tactic used by malware, particularly ransomware like KillDisk, to hinder system usability and prevent the removal of malicious changes. If confirmed malicious, this could impede system recovery efforts, making it difficult to restart the machine and remove other harmful modifications.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\shutdownwithoutlogon" Registry.registry_value_data = "0x00000000") OR (Registry.registry_path="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoClose" Registry.registry_value_data = "0x00000001")) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_shutdown_button_through_registry_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709
diff --git a/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml b/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml
index be4a054e3e..44fba1560c 100644
--- a/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml
+++ b/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml
@@ -7,7 +7,6 @@ status: production
 type: Anomaly
 description: The following analytic detects suspicious registry modifications aimed at disabling Windows Group Policy features. It leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values associated with disabling key Windows functionalities. This activity is significant because it is commonly used by ransomware to hinder mitigation and forensic response efforts. If confirmed malicious, this behavior could severely impair the ability of security teams to analyze and respond to the attack, allowing the attacker to maintain control and persist within the compromised environment.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\*" OR Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\*" Registry.registry_value_name IN ("NoDesktop", "NoFind", "NoControlPanel", "NoFileMenu", "NoSetTaskbar", "NoTrayContextMenu", "TaskbarLockAll", "NoThemesTab","NoPropertiesMyDocuments","NoVisualStyleChoice","NoColorChoice","NoPropertiesMyDocuments") Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_windows_group_policy_features_through_registry_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709
diff --git a/detections/endpoint/windows_disableantispyware_registry.yml b/detections/endpoint/windows_disableantispyware_registry.yml
index 79df8a447c..c1b19cf2ec 100644
--- a/detections/endpoint/windows_disableantispyware_registry.yml
+++ b/detections/endpoint/windows_disableantispyware_registry.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic detects the modification of the Windows Registry key "DisableAntiSpyware" being set to disable. This detection leverages data from the Endpoint.Registry datamodel, specifically looking for the registry value name "DisableAntiSpyware" with a value of "0x00000001". This activity is significant as it is commonly associated with Ryuk ransomware infections, indicating potential malicious intent to disable Windows Defender. If confirmed malicious, this action could allow attackers to disable critical security defenses, facilitating further malicious activities such as data encryption, exfiltration, or additional system compromise.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_value_name="DisableAntiSpyware" AND Registry.registry_value_data="0x00000001" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_disableantispyware_registry_filter`'
 how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.
diff --git a/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml b/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml
index 23e3d47b27..a48e35906b 100644
--- a/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml
+++ b/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml
@@ -6,7 +6,6 @@ author: Michael Haag, Splunk
 type: Anomaly
 status: production
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects the creation of a new DWORD value named "EnableAt" in the registry path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration". This modification enables the use of the at.exe or wmi Win32_ScheduledJob commands to add scheduled tasks on a Windows endpoint. The detection leverages registry event data from the Endpoint datamodel. This activity is significant because it may indicate that an attacker is enabling the ability to schedule tasks, potentially to execute malicious code at specific times or intervals. If confirmed malicious, this could allow persistent code execution on the system.
 search: '| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\CurrentVersion\\Schedule\\Configuration*" Registry.registry_value_name=EnableAt  by Registry.dest, Registry.user, Registry.registry_value_name, Registry.registry_value_type | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_enable_win32_scheduledjob_via_registry_filter`'
diff --git a/detections/endpoint/windows_hide_notification_features_through_registry.yml b/detections/endpoint/windows_hide_notification_features_through_registry.yml
index 2b2cf67dde..d284c2d543 100644
--- a/detections/endpoint/windows_hide_notification_features_through_registry.yml
+++ b/detections/endpoint/windows_hide_notification_features_through_registry.yml
@@ -7,7 +7,6 @@ status: production
 type: Anomaly
 description: The following analytic detects suspicious registry modifications aimed at hiding common Windows notification features on a compromised host. It leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values. This activity is significant as it is often used by ransomware to obscure visual indicators, increasing the impact of the attack. If confirmed malicious, this could prevent users from noticing critical system alerts, thereby aiding the attacker in maintaining persistence and furthering their malicious activities undetected.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\*" Registry.registry_value_name IN ("HideClock", "HideSCAHealth", "HideSCANetwork", "HideSCAPower", "HideSCAVolume") Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_hide_notification_features_through_registry_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709
diff --git a/detections/endpoint/windows_impair_defense_change_win_defender_health_check_intervals.yml b/detections/endpoint/windows_impair_defense_change_win_defender_health_check_intervals.yml
index 0ffd185745..ef1d9823a0 100644
--- a/detections/endpoint/windows_impair_defense_change_win_defender_health_check_intervals.yml
+++ b/detections/endpoint/windows_impair_defense_change_win_defender_health_check_intervals.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry that change the health check interval of Windows Defender. It leverages data from the Endpoint datamodel, specifically monitoring changes to the "ServiceKeepAlive" registry path with a value of "0x00000001". This activity is significant because altering Windows Defender settings can impair its ability to perform timely health checks, potentially leaving the system vulnerable. If confirmed malicious, this could allow an attacker to disable or delay security scans, increasing the risk of undetected malware or other malicious activities.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\ServiceKeepAlive" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_change_win_defender_health_check_intervals_filter`'
diff --git a/detections/endpoint/windows_impair_defense_change_win_defender_quick_scan_interval.yml b/detections/endpoint/windows_impair_defense_change_win_defender_quick_scan_interval.yml
index 08fc1eb735..94c6f8d4ef 100644
--- a/detections/endpoint/windows_impair_defense_change_win_defender_quick_scan_interval.yml
+++ b/detections/endpoint/windows_impair_defense_change_win_defender_quick_scan_interval.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry that change the Windows Defender Quick Scan Interval. It leverages data from the Endpoint.Registry data model, focusing on changes to the "QuickScanInterval" registry path. This activity is significant because altering the scan interval can impair Windows Defender's ability to detect malware promptly, potentially allowing threats to persist undetected. If confirmed malicious, this modification could enable attackers to bypass security measures, maintain persistence, and execute further malicious activities without being detected by quick scans.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Scan\\QuickScanInterval" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_change_win_defender_quick_scan_interval_filter`'
diff --git a/detections/endpoint/windows_impair_defense_change_win_defender_throttle_rate.yml b/detections/endpoint/windows_impair_defense_change_win_defender_throttle_rate.yml
index 319aa68858..3c57475c12 100644
--- a/detections/endpoint/windows_impair_defense_change_win_defender_throttle_rate.yml
+++ b/detections/endpoint/windows_impair_defense_change_win_defender_throttle_rate.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects modifications to the ThrottleDetectionEventsRate registry setting in Windows Defender. It leverages data from the Endpoint.Registry datamodel to identify changes in the registry path related to Windows Defender's event logging rate. This activity is significant because altering the ThrottleDetectionEventsRate can reduce the frequency of logged detection events, potentially masking malicious activities. If confirmed malicious, this could allow an attacker to evade detection by decreasing the visibility of security events, thereby hindering incident response and forensic investigations.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\NIS\\Consumers\\IPS\\ThrottleDetectionEventsRate" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_change_win_defender_throttle_rate_filter`'
diff --git a/detections/endpoint/windows_impair_defense_change_win_defender_tracing_level.yml b/detections/endpoint/windows_impair_defense_change_win_defender_tracing_level.yml
index e41062773b..cef41ea783 100644
--- a/detections/endpoint/windows_impair_defense_change_win_defender_tracing_level.yml
+++ b/detections/endpoint/windows_impair_defense_change_win_defender_tracing_level.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry specifically targeting the "WppTracingLevel" setting within Windows Defender. This detection leverages data from the Endpoint.Registry data model to identify changes in the registry path associated with Windows Defender tracing levels. Such modifications are significant as they can impair the diagnostic capabilities of Windows Defender, potentially hiding malicious activities. If confirmed malicious, this activity could allow an attacker to evade detection and maintain persistence within the environment, leading to further compromise and data exfiltration.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Reporting\\WppTracingLevel" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_change_win_defender_tracing_level_filter`'
diff --git a/detections/endpoint/windows_impair_defense_configure_app_install_control.yml b/detections/endpoint/windows_impair_defense_configure_app_install_control.yml
index 8d08fde3ab..e96354e629 100644
--- a/detections/endpoint/windows_impair_defense_configure_app_install_control.yml
+++ b/detections/endpoint/windows_impair_defense_configure_app_install_control.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry that disable the Windows Defender SmartScreen App Install Control feature. It leverages data from the Endpoint.Registry data model to identify changes to specific registry values. This activity is significant because disabling App Install Control can allow users to install potentially malicious web-based applications without restrictions, increasing the risk of security vulnerabilities. If confirmed malicious, this action could lead to the installation of harmful applications, potentially compromising the system and exposing sensitive information.
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\Microsoft\\Windows Defender\\SmartScreen\\ConfigureAppInstallControl" Registry.registry_value_data= "Anywhere") OR (Registry.registry_path= "*\\Microsoft\\Windows Defender\\SmartScreen\\ConfigureAppInstallControlEnabled" Registry.registry_value_data= "0x00000000") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_configure_app_install_control_filter`'
diff --git a/detections/endpoint/windows_impair_defense_define_win_defender_threat_action.yml b/detections/endpoint/windows_impair_defense_define_win_defender_threat_action.yml
index a4ce5e139f..05f5946365 100644
--- a/detections/endpoint/windows_impair_defense_define_win_defender_threat_action.yml
+++ b/detections/endpoint/windows_impair_defense_define_win_defender_threat_action.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows Defender ThreatSeverityDefaultAction registry setting. It leverages data from the Endpoint.Registry datamodel to identify changes in registry values that define how Windows Defender responds to threats. This activity is significant because altering these settings can impair the system's defense mechanisms, potentially allowing threats to go unaddressed. If confirmed malicious, this could enable attackers to bypass antivirus protections, leading to persistent threats and increased risk of data compromise or further system exploitation.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Threats\\ThreatSeverityDefaultAction*" Registry.registry_value_data IN ("0x00000001", "9") by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_define_win_defender_threat_action_filter`'
diff --git a/detections/endpoint/windows_impair_defense_delete_win_defender_context_menu.yml b/detections/endpoint/windows_impair_defense_delete_win_defender_context_menu.yml
index 08ab50b0ce..6b47b19cec 100644
--- a/detections/endpoint/windows_impair_defense_delete_win_defender_context_menu.yml
+++ b/detections/endpoint/windows_impair_defense_delete_win_defender_context_menu.yml
@@ -7,7 +7,6 @@ status: production
 type: Hunting
 description: The following analytic detects the deletion of the Windows Defender context menu entry from the registry. It leverages data from the Endpoint datamodel, specifically monitoring registry actions where the path includes "*\\shellex\\ContextMenuHandlers\\EPP" and the action is 'deleted'. This activity is significant as it is commonly associated with Remote Access Trojan (RAT) malware attempting to disable security features. If confirmed malicious, this could allow an attacker to impair defenses, facilitating further malicious activities such as unauthorized access, persistence, and data exfiltration.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\shellex\\ContextMenuHandlers\\EPP" Registry.action = deleted by  Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_delete_win_defender_context_menu_filter`'
 how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.
diff --git a/detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml b/detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml
index 1ad1a12b13..ea9100f47c 100644
--- a/detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml
+++ b/detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml
@@ -7,7 +7,6 @@ status: production
 type: Anomaly
 description: The following analytic detects the deletion of the Windows Defender main profile registry key. It leverages data from the Endpoint.Registry datamodel, specifically monitoring for deleted actions within the Windows Defender registry path. This activity is significant as it indicates potential tampering with security defenses, often associated with Remote Access Trojans (RATs) and other malware. If confirmed malicious, this action could allow an attacker to disable Windows Defender, reducing the system's ability to detect and respond to further malicious activities, thereby compromising endpoint security.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\Policies\\Microsoft\\Windows Defender" Registry.action = deleted by  Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action  Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_delete_win_defender_profile_registry_filter`'
 how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.
diff --git a/detections/endpoint/windows_impair_defense_deny_security_software_with_applocker.yml b/detections/endpoint/windows_impair_defense_deny_security_software_with_applocker.yml
index 800d6c7f61..e3c5c39b98 100644
--- a/detections/endpoint/windows_impair_defense_deny_security_software_with_applocker.yml
+++ b/detections/endpoint/windows_impair_defense_deny_security_software_with_applocker.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic detects modifications in the Windows registry by the Applocker utility that deny the execution of various security products. This detection leverages data from the Endpoint.Registry datamodel, focusing on specific registry paths and values indicating a "Deny" action against known antivirus and security software. This activity is significant as it may indicate an attempt to disable security defenses, a tactic observed in malware like Azorult. If confirmed malicious, this could allow attackers to bypass security measures, facilitating further malicious activities and persistence within the environment.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy Objects\\*" AND Registry.registry_path= "*}Machine\\Software\\Policies\\Microsoft\\Windows\\SrpV2*") OR Registry.registry_path="*\\Software\\Policies\\Microsoft\\Windows\\SrpV2*" AND Registry.registry_value_data = "*Action\=\"Deny\"*" AND Registry.registry_value_data IN("*O=SYMANTEC*","*O=MCAFEE*","*O=KASPERSKY*","*O=BLEEPING COMPUTER*", "*O=PANDA SECURITY*","*O=SYSTWEAK SOFTWARE*", "*O=TREND MICRO*", "*O=AVAST*", "*O=GRIDINSOFT*", "*O=MICROSOFT*", "*O=NANO SECURITY*", "*O=SUPERANTISPYWARE.COM*", "*O=DOCTOR WEB*", "*O=MALWAREBYTES*", "*O=ESET*", "*O=AVIRA*", "*O=WEBROOT*") by  Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.registry_key_name Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_deny_security_software_with_applocker_filter`'
 how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.
diff --git a/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml b/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml
index 8ce7b98edd..85281a411f 100644
--- a/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml
+++ b/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects a modification in the Windows registry that disables the Windows Defender Controlled Folder Access feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the EnableControlledFolderAccess registry setting. This activity is significant because Controlled Folder Access is designed to protect critical folders from unauthorized access, including ransomware attacks. If this activity is confirmed malicious, it could allow attackers to bypass a key security feature, potentially leading to unauthorized access or modification of sensitive files.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Windows Defender Exploit Guard\\Controlled Folder Access\\EnableControlledFolderAccess" Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_controlled_folder_access_filter`'
diff --git a/detections/endpoint/windows_impair_defense_disable_defender_firewall_and_network.yml b/detections/endpoint/windows_impair_defense_disable_defender_firewall_and_network.yml
index a8a69f4b55..71d9d59064 100644
--- a/detections/endpoint/windows_impair_defense_disable_defender_firewall_and_network.yml
+++ b/detections/endpoint/windows_impair_defense_disable_defender_firewall_and_network.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects modifications in the Windows registry to disable firewall and network protection settings within Windows Defender Security Center. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the UILockdown registry value. This activity is significant as it may indicate an attempt to impair system defenses, potentially restricting users from modifying firewall or network protection settings. If confirmed malicious, this could allow an attacker to weaken the system's security posture, making it more vulnerable to further attacks and unauthorized access.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender Security Center\\Firewall and network protection\\UILockdown" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_defender_firewall_and_network_filter`'
diff --git a/detections/endpoint/windows_impair_defense_disable_defender_protocol_recognition.yml b/detections/endpoint/windows_impair_defense_disable_defender_protocol_recognition.yml
index 9370d32c3c..0ee6344574 100644
--- a/detections/endpoint/windows_impair_defense_disable_defender_protocol_recognition.yml
+++ b/detections/endpoint/windows_impair_defense_disable_defender_protocol_recognition.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry that disable the Windows Defender protocol recognition feature. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the "DisableProtocolRecognition" setting. This activity is significant because disabling protocol recognition can hinder Windows Defender's ability to detect and respond to malware or suspicious software. If confirmed malicious, this action could allow an attacker to bypass antivirus defenses, facilitating further malicious activities such as data exfiltration or system compromise.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\NIS\\DisableProtocolRecognition" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_defender_protocol_recognition_filter`'
diff --git a/detections/endpoint/windows_impair_defense_disable_pua_protection.yml b/detections/endpoint/windows_impair_defense_disable_pua_protection.yml
index 8c47ab8d19..cd7ef023c5 100644
--- a/detections/endpoint/windows_impair_defense_disable_pua_protection.yml
+++ b/detections/endpoint/windows_impair_defense_disable_pua_protection.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects a modification in the Windows registry to disable Windows Defender PUA protection by setting PUAProtection to 0. This detection leverages data from the Endpoint.Registry datamodel, focusing on registry path changes related to Windows Defender. Disabling PUA protection is significant as it reduces defenses against Potentially Unwanted Applications (PUAs), which, while not always malicious, can negatively impact user experience and security. If confirmed malicious, this activity could allow an attacker to introduce adware, browser toolbars, or other unwanted software, potentially compromising system integrity and user productivity.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\PUAProtection" Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_pua_protection_filter`'
diff --git a/detections/endpoint/windows_impair_defense_disable_realtime_signature_delivery.yml b/detections/endpoint/windows_impair_defense_disable_realtime_signature_delivery.yml
index 81b8ba5c1e..f1f9073684 100644
--- a/detections/endpoint/windows_impair_defense_disable_realtime_signature_delivery.yml
+++ b/detections/endpoint/windows_impair_defense_disable_realtime_signature_delivery.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry that disable the Windows Defender real-time signature delivery feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path associated with Windows Defender signature updates. This activity is significant because disabling real-time signature delivery can prevent Windows Defender from receiving timely malware definitions, reducing its effectiveness. If confirmed malicious, this action could allow attackers to bypass malware detection, leading to potential system compromise and persistent threats.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Signature Updates\\RealtimeSignatureDelivery" Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_realtime_signature_delivery_filter`'
diff --git a/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml b/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml
index db5aff8776..bb0cdb05f0 100644
--- a/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml
+++ b/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry entry "EnableWebContentEvaluation" to disable Windows Defender web content evaluation. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes where the registry value is set to "0x00000000". This activity is significant as it indicates an attempt to impair browser security features, potentially allowing malicious web content to bypass security checks. If confirmed malicious, this could lead to users interacting with harmful scripts or unsafe web elements, increasing the risk of system exploitation and security breaches.
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path= "*\\Windows\\CurrentVersion\\AppHost\\EnableWebContentEvaluation"  Registry.registry_value_data= "0x00000000" BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_web_evaluation_filter`'
diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_app_guard.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_app_guard.yml
index 83218b9b01..a984f8e37d 100644
--- a/detections/endpoint/windows_impair_defense_disable_win_defender_app_guard.yml
+++ b/detections/endpoint/windows_impair_defense_disable_win_defender_app_guard.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry that disable Windows Defender Application Guard auditing. It leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values. This activity is significant because disabling auditing can hinder security monitoring and threat detection within the isolated environment, making it easier for malicious activities to go unnoticed. If confirmed malicious, this action could allow attackers to bypass Windows Defender protections, potentially leading to unauthorized access, data exfiltration, or further system compromise.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Policies\\Microsoft\\AppHVSI\\AuditApplicationGuard" Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_app_guard_filter`'
diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_compute_file_hashes.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_compute_file_hashes.yml
index e91808e878..37a786d7e5 100644
--- a/detections/endpoint/windows_impair_defense_disable_win_defender_compute_file_hashes.yml
+++ b/detections/endpoint/windows_impair_defense_disable_win_defender_compute_file_hashes.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry that disable Windows Defender's file hash computation by setting the EnableFileHashComputation value to 0. This detection leverages data from the Endpoint.Registry data model, focusing on changes to the specific registry path associated with Windows Defender. Disabling file hash computation can significantly impair Windows Defender's ability to detect and scan for malware, making it a critical behavior to monitor. If confirmed malicious, this activity could allow attackers to bypass Windows Defender, facilitating undetected malware execution and persistence in the environment.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\MpEngine\\EnableFileHashComputation" Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_compute_file_hashes_filter`'
diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_gen_reports.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_gen_reports.yml
index 2f2fcac705..0bb3f4d1fb 100644
--- a/detections/endpoint/windows_impair_defense_disable_win_defender_gen_reports.yml
+++ b/detections/endpoint/windows_impair_defense_disable_win_defender_gen_reports.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects modifications in the Windows registry to disable Windows Defender generic reports. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the "DisableGenericRePorts" registry value. This activity is significant as it can prevent the transmission of error reports to Microsoft's Windows Error Reporting service, potentially hiding malicious activities. If confirmed malicious, this action could allow attackers to bypass Windows Defender detections, reducing the visibility of their activities and increasing the risk of undetected system compromise.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Reporting\\DisableGenericRePorts" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_gen_reports_filter`'
diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml
index 7ca36c1a80..32183d89c4 100644
--- a/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml
+++ b/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry that disable Windows Defender Network Protection. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the EnableNetworkProtection registry entry. This activity is significant because disabling Network Protection can leave the system vulnerable to network-based threats by preventing Windows Defender from analyzing and blocking malicious network activity. If confirmed malicious, this action could allow attackers to bypass security measures, potentially leading to unauthorized access, data exfiltration, or further compromise of the network.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Windows Defender Exploit Guard\\Network Protection\\EnableNetworkProtection" Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_network_protection_filter`'
diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_report_infection.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_report_infection.yml
index 871b7fdb87..09062e8ea1 100644
--- a/detections/endpoint/windows_impair_defense_disable_win_defender_report_infection.yml
+++ b/detections/endpoint/windows_impair_defense_disable_win_defender_report_infection.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry that disable Windows Defender's infection reporting. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the "DontReportInfectionInformation" registry key. This activity is significant because it can prevent Windows Defender from reporting detailed threat information to Microsoft, potentially allowing malware to evade detection. If confirmed malicious, this action could enable attackers to bypass security measures, maintain persistence, and avoid detection, leading to prolonged unauthorized access and potential data breaches.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Microsoft\\MRT\\DontReportInfectionInformation" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_report_infection_filter`'
diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_scan_on_update.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_scan_on_update.yml
index 91185eb74c..8bfa01e62b 100644
--- a/detections/endpoint/windows_impair_defense_disable_win_defender_scan_on_update.yml
+++ b/detections/endpoint/windows_impair_defense_disable_win_defender_scan_on_update.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry that disable the Windows Defender Scan On Update feature. It leverages data from the Endpoint.Registry datamodel, specifically looking for changes to the "DisableScanOnUpdate" registry setting with a value of "0x00000001". This activity is significant because disabling automatic scans can leave systems vulnerable to malware and other threats. If confirmed malicious, this action could allow attackers to bypass Windows Defender, facilitating further compromise and persistence within the environment.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Signature Updates\\DisableScanOnUpdate" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_scan_on_update_filter`'
diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_signature_retirement.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_signature_retirement.yml
index 9c6c7fa00b..3321663810 100644
--- a/detections/endpoint/windows_impair_defense_disable_win_defender_signature_retirement.yml
+++ b/detections/endpoint/windows_impair_defense_disable_win_defender_signature_retirement.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry that disable Windows Defender Signature Retirement. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the DisableSignatureRetirement registry setting. This activity is significant because disabling signature retirement can prevent Windows Defender from removing outdated antivirus signatures, potentially reducing its effectiveness in detecting threats. If confirmed malicious, this action could allow an attacker to evade detection by using older, less relevant signatures, thereby compromising the system's security posture.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\NIS\\Consumers\\IPS\\DisableSignatureRetirement" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_signature_retirement_filter`'
diff --git a/detections/endpoint/windows_impair_defense_overide_win_defender_phishing_filter.yml b/detections/endpoint/windows_impair_defense_overide_win_defender_phishing_filter.yml
index 1df570e032..b7166f5d4a 100644
--- a/detections/endpoint/windows_impair_defense_overide_win_defender_phishing_filter.yml
+++ b/detections/endpoint/windows_impair_defense_overide_win_defender_phishing_filter.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry that disable the Windows Defender phishing filter. It leverages data from the Endpoint.Registry data model, focusing on changes to specific registry values related to Microsoft Edge's phishing filter settings. This activity is significant because disabling the phishing filter can allow attackers to deceive users into visiting malicious websites without triggering browser warnings. If confirmed malicious, this could lead to users unknowingly accessing harmful sites, resulting in potential security incidents or data compromises.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_key_name = "*\\MicrosoftEdge\\PhishingFilter" Registry.registry_value_name IN ("EnabledV9", "PreventOverride") Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_overide_win_defender_phishing_filter_filter`'
diff --git a/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml b/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml
index aa6dff806f..4614225b7d 100644
--- a/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml
+++ b/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry that override the Windows Defender SmartScreen prompt. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the "PreventSmartScreenPromptOverride" registry setting. This activity is significant because it indicates an attempt to disable the prevention of user overrides for SmartScreen prompts, potentially allowing users to bypass security warnings. If confirmed malicious, this could lead to users inadvertently executing or accessing harmful content, increasing the risk of security incidents or system compromises.
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path= "*\\Microsoft\\Edge\\PreventSmartScreenPromptOverride" Registry.registry_value_data= "0x00000000" BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_override_smartscreen_prompt_filter`'
diff --git a/detections/endpoint/windows_impair_defense_set_win_defender_smart_screen_level_to_warn.yml b/detections/endpoint/windows_impair_defense_set_win_defender_smart_screen_level_to_warn.yml
index 23d3ca4092..6e9ce080dd 100644
--- a/detections/endpoint/windows_impair_defense_set_win_defender_smart_screen_level_to_warn.yml
+++ b/detections/endpoint/windows_impair_defense_set_win_defender_smart_screen_level_to_warn.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry that set the Windows Defender SmartScreen level to "warn." This detection leverages data from the Endpoint.Registry data model, specifically monitoring changes to the ShellSmartScreenLevel registry value. This activity is significant because altering SmartScreen settings to "warn" can reduce immediate suspicion from users, allowing potentially malicious executables to run with just a warning prompt. If confirmed malicious, this could enable attackers to execute harmful files, increasing the risk of successful malware deployment and subsequent system compromise.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Microsoft\\Windows\\System\\ShellSmartScreenLevel" Registry.registry_value_data="Warn" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_set_win_defender_smart_screen_level_to_warn_filter`'
diff --git a/detections/endpoint/windows_impair_defenses_disable_hvci.yml b/detections/endpoint/windows_impair_defenses_disable_hvci.yml
index 98f79b8954..19225b7bb7 100644
--- a/detections/endpoint/windows_impair_defenses_disable_hvci.yml
+++ b/detections/endpoint/windows_impair_defenses_disable_hvci.yml
@@ -6,7 +6,6 @@ author: Michael Haag, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects the disabling of Hypervisor-protected Code Integrity (HVCI) by monitoring changes in the Windows registry. It leverages data from the Endpoint datamodel, specifically focusing on registry paths and values related to HVCI settings. This activity is significant because HVCI helps protect the kernel and system processes from tampering by malicious code. If confirmed malicious, disabling HVCI could allow attackers to execute unsigned kernel-mode code, potentially leading to kernel-level rootkits or other severe security breaches.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios\\HypervisorEnforcedCodeIntegrity\\Enabled" Registry.registry_value_data="0x00000000"  by  Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action  Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defenses_disable_hvci_filter`'
diff --git a/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml b/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml
index 3b2738b061..ff9ccaee8a 100644
--- a/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml
+++ b/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml
@@ -7,7 +7,6 @@ status: production
 type: Anomaly
 description: The following analytic detects the disabling of Windows Defender logging by identifying changes to the Registry keys DefenderApiLogger or DefenderAuditLogger set to disable. It leverages data from the Endpoint.Registry datamodel to monitor specific registry paths and values. This activity is significant as it is commonly associated with Remote Access Trojan (RAT) malware attempting to evade detection. If confirmed malicious, this action could allow an attacker to conceal their activities, making it harder to detect further malicious actions and maintain persistence on the compromised endpoint.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where (Registry.registry_path = "*WMI\\Autologger\\DefenderApiLogger\\Start" OR Registry.registry_path = "*WMI\\Autologger\\DefenderAuditLogger\\Start")  Registry.registry_value_data ="0x00000000" by  Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defenses_disable_win_defender_auto_logging_filter`'
 how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.
diff --git a/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml b/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml
index da3ce68a68..0441fb0a82 100644
--- a/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml
+++ b/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry related to the Local Security Authority (LSA) NoLMHash setting. It identifies when the registry value is set to 0, indicating that the system will store passwords in the weaker Lan Manager (LM) hash format. This detection leverages registry activity logs from endpoint data sources like Sysmon or EDR tools. Monitoring this activity is crucial as it can indicate attempts to weaken password storage security. If confirmed malicious, this could allow attackers to exploit weaker LM hashes, potentially leading to unauthorized access and credential theft.
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\System\\CurrentControlSet\\Control\\Lsa\\NoLMHash" Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_lsa_secrets_nolmhash_registry_filter`'
diff --git a/detections/endpoint/windows_modify_registry_authenticationleveloverride.yml b/detections/endpoint/windows_modify_registry_authenticationleveloverride.yml
index a48c572643..f13bcab8f7 100644
--- a/detections/endpoint/windows_modify_registry_authenticationleveloverride.yml
+++ b/detections/endpoint/windows_modify_registry_authenticationleveloverride.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry key "AuthenticationLevelOverride" within the Terminal Server Client settings. It leverages data from the Endpoint.Registry datamodel to identify changes where the registry value is set to 0x00000000. This activity is significant as it may indicate an attempt to override authentication levels for remote connections, a tactic used by DarkGate malware for malicious installations. If confirmed malicious, this could allow attackers to gain unauthorized remote access, potentially leading to data exfiltration or further system compromise.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\Terminal Server Client\\AuthenticationLevelOverride"  Registry.registry_value_data = 0x00000000 by  Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_authenticationleveloverride_filter`'
diff --git a/detections/endpoint/windows_modify_registry_auto_minor_updates.yml b/detections/endpoint/windows_modify_registry_auto_minor_updates.yml
index 63086364fc..ef9599ab63 100644
--- a/detections/endpoint/windows_modify_registry_auto_minor_updates.yml
+++ b/detections/endpoint/windows_modify_registry_auto_minor_updates.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: Hunting
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic identifies a suspicious modification to the Windows auto update configuration registry. It detects changes to the registry path "*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\AutoInstallMinorUpdates" with a value of "0x00000000". This activity is significant as it is commonly used by adversaries, including malware like RedLine Stealer, to bypass detection and deploy additional payloads. If confirmed malicious, this modification could allow attackers to evade defenses, potentially leading to further system compromise and exploitation of zero-day vulnerabilities.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\AutoInstallMinorUpdates" AND Registry.registry_value_data="0x00000000" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_auto_minor_updates_filter`'
diff --git a/detections/endpoint/windows_modify_registry_auto_update_notif.yml b/detections/endpoint/windows_modify_registry_auto_update_notif.yml
index 50f3afbc53..fce4a0d370 100644
--- a/detections/endpoint/windows_modify_registry_auto_update_notif.yml
+++ b/detections/endpoint/windows_modify_registry_auto_update_notif.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects a suspicious modification to the Windows registry that changes the auto-update notification setting to "Notify before download." This detection leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values. This activity is significant because it is a known technique used by adversaries, including malware like RedLine Stealer, to evade detection and potentially deploy additional payloads. If confirmed malicious, this modification could allow attackers to bypass security measures, maintain persistence, and exploit vulnerabilities on the target host.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\AUOptions" AND Registry.registry_value_data="0x00000002" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_auto_update_notif_filter`'
diff --git a/detections/endpoint/windows_modify_registry_default_icon_setting.yml b/detections/endpoint/windows_modify_registry_default_icon_setting.yml
index 3b7ef59d02..e3d8ea80bd 100644
--- a/detections/endpoint/windows_modify_registry_default_icon_setting.yml
+++ b/detections/endpoint/windows_modify_registry_default_icon_setting.yml
@@ -7,7 +7,6 @@ status: production
 type: Anomaly
 description: The following analytic detects suspicious modifications to the Windows registry's default icon settings, a technique associated with Lockbit ransomware. It leverages data from the Endpoint Registry data model, focusing on changes to registry paths under "*HKCR\\*\\defaultIcon\\(Default)*". This activity is significant as it is uncommon for normal users to modify these settings, and such changes can indicate ransomware infection or other malware. If confirmed malicious, this could lead to system defacement and signal a broader ransomware attack, potentially compromising sensitive data and system integrity.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count  min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path ="*\\defaultIcon\\(Default)*" Registry.registry_path = "*HKCR\\*" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.action Registry.dest  Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_modify_registry_default_icon_setting_filter`'
 how_to_implement: To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.
diff --git a/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml b/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml
index 6dbf834481..49878348eb 100644
--- a/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml
+++ b/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry entry "DisableRestrictedAdmin," which controls the Restricted Admin mode behavior. This detection leverages registry activity logs from endpoint data sources like Sysmon or Carbon Black. Monitoring this activity is crucial as changes to this setting can disable a security feature that limits credential exposure during remote connections. If confirmed malicious, an attacker could weaken security controls, increasing the risk of credential theft and unauthorized access to sensitive systems.
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\System\\CurrentControlSet\\Control\\Lsa\\DisableRestrictedAdmin" Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_restricted_admin_filter`'
diff --git a/detections/endpoint/windows_modify_registry_disable_toast_notifications.yml b/detections/endpoint/windows_modify_registry_disable_toast_notifications.yml
index b100e905f8..5cfde44d06 100644
--- a/detections/endpoint/windows_modify_registry_disable_toast_notifications.yml
+++ b/detections/endpoint/windows_modify_registry_disable_toast_notifications.yml
@@ -7,7 +7,6 @@ status: production
 type: Anomaly
 description: The following analytic detects modifications to the Windows registry that disable toast notifications. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the registry path "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PushNotifications\\ToastEnabled*" with a value set to "0x00000000". This activity is significant because disabling toast notifications can prevent users from receiving critical system and application updates, which adversaries like Azorult exploit for defense evasion. If confirmed malicious, this action could allow attackers to operate undetected, leading to prolonged persistence and potential further compromise of the system.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PushNotifications\\ToastEnabled*" Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_toast_notifications_filter`'
 how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.
diff --git a/detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml b/detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml
index f84d8c4f04..03d7b63064 100644
--- a/detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml
+++ b/detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml
@@ -7,7 +7,6 @@ status: production
 type: Anomaly
 description: The following analytic detects modifications to the Windows registry that disable the Windows Defender raw write notification feature. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the registry path associated with Windows Defender's real-time protection settings. This activity is significant because disabling raw write notifications can allow malware, such as Azorult, to bypass Windows Defender's behavior monitoring, potentially leading to undetected malicious activities. If confirmed malicious, this could enable attackers to execute code, persist in the environment, and access sensitive information without detection.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Real-Time Protection\\DisableRawWriteNotification*" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_win_defender_raw_write_notif_filter`'
 how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.
diff --git a/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml b/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml
index 1a0fbcafd4..3b34e9b906 100644
--- a/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml
+++ b/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects a suspicious registry modification aimed at disabling Windows Defender notifications. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the registry path "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\Notifications\\DisableNotifications" with a value of "0x00000001". This activity is significant as it indicates an attempt to evade detection by disabling security alerts, a technique used by adversaries and malware like RedLine Stealer. If confirmed malicious, this could allow attackers to operate undetected, increasing the risk of further compromise and data exfiltration.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\Notifications\\DisableNotifications" AND Registry.registry_value_data="0x00000001" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_disable_windefender_notifications_filter`'
diff --git a/detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml b/detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml
index 0c7359a41a..5e334e2b9b 100644
--- a/detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml
+++ b/detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml
@@ -7,7 +7,6 @@ status: production
 type: Anomaly
 description: The following analytic detects modifications to the Windows registry aimed at disabling Windows Security Center notifications. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the registry path "*\\Windows\\CurrentVersion\\ImmersiveShell\\UseActionCenterExperience*" with a value of "0x00000000". This activity is significant as it can indicate an attempt by adversaries or malware, such as Azorult, to evade defenses by suppressing critical update notifications. If confirmed malicious, this could allow attackers to persist undetected, potentially leading to further exploitation and compromise of the host system.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows\\CurrentVersion\\ImmersiveShell\\UseActionCenterExperience*" Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_windows_security_center_notif_filter`'
 how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.
diff --git a/detections/endpoint/windows_modify_registry_disableremotedesktopantialias.yml b/detections/endpoint/windows_modify_registry_disableremotedesktopantialias.yml
index e8aed5c3e9..3eba5d75a6 100644
--- a/detections/endpoint/windows_modify_registry_disableremotedesktopantialias.yml
+++ b/detections/endpoint/windows_modify_registry_disableremotedesktopantialias.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry key "DisableRemoteDesktopAntiAlias" with a value set to 0x00000001. This detection leverages data from the Endpoint datamodel, specifically monitoring changes in the Registry node. This activity is significant as it may indicate the presence of DarkGate malware, which alters this registry setting to enhance its remote desktop capabilities. If confirmed malicious, this modification could allow an attacker to maintain persistence and control over the compromised host, potentially leading to further exploitation and data exfiltration.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\Terminal Services\\DisableRemoteDesktopAntiAlias"  Registry.registry_value_data = 0x00000001 by  Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disableremotedesktopantialias_filter`'
diff --git a/detections/endpoint/windows_modify_registry_disablesecuritysettings.yml b/detections/endpoint/windows_modify_registry_disablesecuritysettings.yml
index 91998ef864..46afcf51c3 100644
--- a/detections/endpoint/windows_modify_registry_disablesecuritysettings.yml
+++ b/detections/endpoint/windows_modify_registry_disablesecuritysettings.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry that disable security settings for Terminal Services. It leverages the Endpoint data model, specifically monitoring changes to the registry path associated with Terminal Services security settings. This activity is significant because altering these settings can weaken the security posture of Remote Desktop Services, potentially allowing unauthorized remote access. If confirmed malicious, such modifications could enable attackers to gain persistent remote access to the system, facilitating further exploitation and data exfiltration.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\Terminal Services\\DisableSecuritySettings"  Registry.registry_value_data = 0x00000001 by  Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disablesecuritysettings_filter`'
diff --git a/detections/endpoint/windows_modify_registry_disabling_wer_settings.yml b/detections/endpoint/windows_modify_registry_disabling_wer_settings.yml
index 1f02d96160..280bfce4e9 100644
--- a/detections/endpoint/windows_modify_registry_disabling_wer_settings.yml
+++ b/detections/endpoint/windows_modify_registry_disabling_wer_settings.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic detects modifications in the Windows registry to disable Windows Error Reporting (WER) settings. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to registry paths related to WER with a value set to "0x00000001". This activity is significant as adversaries may disable WER to suppress error notifications, hiding the presence of malicious activities. If confirmed malicious, this could allow attackers to operate undetected, potentially leading to prolonged persistence and further exploitation within the environment.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\disable*" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disabling_wer_settings_filter`'
 how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.
diff --git a/detections/endpoint/windows_modify_registry_disallow_windows_app.yml b/detections/endpoint/windows_modify_registry_disallow_windows_app.yml
index 1bb85e7e02..b202433525 100644
--- a/detections/endpoint/windows_modify_registry_disallow_windows_app.yml
+++ b/detections/endpoint/windows_modify_registry_disallow_windows_app.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic detects modifications to the Windows registry aimed at preventing the execution of specific computer programs. It leverages data from the Endpoint.Registry datamodel, focusing on changes to the registry path "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisallowRun*" with a value of "0x00000001". This activity is significant as it can indicate an attempt to disable security tools, a tactic used by malware like Azorult. If confirmed malicious, this could allow an attacker to evade detection and maintain persistence on the compromised host.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisallowRun*" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disallow_windows_app_filter`'
 how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.
diff --git a/detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml b/detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml
index f6ab2c2c16..1020e15789 100644
--- a/detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml
+++ b/detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects a suspicious modification to the Windows registry that disables automatic updates. It leverages data from the Endpoint datamodel, specifically monitoring changes to the registry path "*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\DoNotConnectToWindowsUpdateInternetLocations" with a value of "0x00000001". This activity is significant as it can be used by adversaries, including malware like RedLine Stealer, to evade detection and prevent the system from receiving critical updates. If confirmed malicious, this could allow attackers to exploit vulnerabilities, persist in the environment, and potentially deploy additional payloads.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\DoNotConnectToWindowsUpdateInternetLocations" AND Registry.registry_value_data="0x00000001" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_do_not_connect_to_win_update_filter`'
diff --git a/detections/endpoint/windows_modify_registry_dontshowui.yml b/detections/endpoint/windows_modify_registry_dontshowui.yml
index 5b5772d887..ac4f909313 100644
--- a/detections/endpoint/windows_modify_registry_dontshowui.yml
+++ b/detections/endpoint/windows_modify_registry_dontshowui.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows Error Reporting registry key "DontShowUI" to suppress error reporting dialogs. It leverages data from the Endpoint datamodel's Registry node to identify changes where the registry value is set to 0x00000001. This activity is significant as it is commonly associated with DarkGate malware, which uses this modification to avoid detection during its installation. If confirmed malicious, this behavior could allow attackers to maintain a low profile, avoiding user alerts and potentially enabling further malicious activities without user intervention.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI"  Registry.registry_value_data = 0x00000001 by  Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_dontshowui_filter`'
diff --git a/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml b/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml
index 044aa0dcc0..a7193f68f4 100644
--- a/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml
+++ b/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects a suspicious modification to the Windows registry setting for EnableLinkedConnections. It leverages data from the Endpoint.Registry datamodel to identify changes where the registry path is "*\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLinkedConnections" and the value is set to "0x00000001". This activity is significant because enabling linked connections can allow network shares to be accessed with both standard and administrator-level privileges, a technique often abused by malware like BlackByte ransomware. If confirmed malicious, this could lead to unauthorized access to sensitive network resources, escalating the attacker's privileges.
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLinkedConnections" Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_enablelinkedconnections_filter`'
diff --git a/detections/endpoint/windows_modify_registry_longpathsenabled.yml b/detections/endpoint/windows_modify_registry_longpathsenabled.yml
index e4fe14d829..58e4f3dfd0 100644
--- a/detections/endpoint/windows_modify_registry_longpathsenabled.yml
+++ b/detections/endpoint/windows_modify_registry_longpathsenabled.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects a modification to the Windows registry setting "LongPathsEnabled," which allows file paths longer than 260 characters. This detection leverages data from the Endpoint.Registry datamodel, focusing on changes to the specific registry path and value. This activity is significant because adversaries, including malware like BlackByte, exploit this setting to bypass file path limitations, potentially aiding in evasion techniques. If confirmed malicious, this modification could facilitate the execution of long-path payloads, aiding in persistence and further system compromise.
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\CurrentControlSet\\Control\\FileSystem\\LongPathsEnabled" Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_longpathsenabled_filter`'
diff --git a/detections/endpoint/windows_modify_registry_maxconnectionperserver.yml b/detections/endpoint/windows_modify_registry_maxconnectionperserver.yml
index 73fc15782a..ff63454d93 100644
--- a/detections/endpoint/windows_modify_registry_maxconnectionperserver.yml
+++ b/detections/endpoint/windows_modify_registry_maxconnectionperserver.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic identifies a suspicious modification of the Windows registry setting for max connections per server. It detects changes to specific registry paths using data from the Endpoint.Registry datamodel. This activity is significant because altering this setting can be exploited by attackers to increase the number of concurrent connections to a remote server, potentially facilitating DDoS attacks or enabling more effective lateral movement within a compromised network. If confirmed malicious, this could lead to network disruption or further compromise of additional systems.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\MaxConnectionsPerServer*" OR Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\MaxConnectionsPer1_0Server*")  Registry.registry_value_data = "0x0000000a" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_maxconnectionperserver_filter`'
diff --git a/detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml b/detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml
index 8b5a15d75b..569becd740 100644
--- a/detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml
+++ b/detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects a suspicious modification to the Windows registry that disables automatic reboot with a logged-on user. This detection leverages the Endpoint data model to identify changes to the registry path `SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoRebootWithLoggedOnUsers` with a value of `0x00000001`. This activity is significant as it is commonly used by adversaries, including malware like RedLine Stealer, to evade detection and maintain persistence. If confirmed malicious, this could allow attackers to bypass security measures and deploy additional payloads without interruption.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\NoAutoRebootWithLoggedOnUsers" AND Registry.registry_value_data="0x00000001" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_no_auto_reboot_with_logon_user_filter`'
diff --git a/detections/endpoint/windows_modify_registry_no_auto_update.yml b/detections/endpoint/windows_modify_registry_no_auto_update.yml
index b235436325..950987e85b 100644
--- a/detections/endpoint/windows_modify_registry_no_auto_update.yml
+++ b/detections/endpoint/windows_modify_registry_no_auto_update.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic identifies a suspicious modification to the Windows registry that disables automatic updates. It detects changes to the registry path `SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate` with a value of `0x00000001`. This activity is significant as it is commonly used by adversaries, including malware like RedLine Stealer, to evade detection and maintain persistence. If confirmed malicious, this could allow attackers to bypass security updates, leaving the system vulnerable to further exploitation and potential zero-day attacks.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\NoAutoUpdate" AND Registry.registry_value_data="0x00000001" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_no_auto_update_filter`'
diff --git a/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml b/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml
index c10cf02965..d44ec21b34 100644
--- a/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml
+++ b/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry aimed at preventing wallpaper changes. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the "NoChangingWallPaper" registry value. This activity is significant as it is a known tactic used by Rhysida ransomware to enforce a malicious wallpaper, thereby limiting user control over system settings. If confirmed malicious, this registry change could indicate a ransomware infection, leading to further system compromise and user disruption.
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\Windows\\CurrentVersion\\Policies\\ActiveDesktop\\NoChangingWallPaper" Registry.registry_value_data = 1) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_nochangingwallpaper_filter`'
diff --git a/detections/endpoint/windows_modify_registry_proxyenable.yml b/detections/endpoint/windows_modify_registry_proxyenable.yml
index edbf26d162..6a1734c0aa 100644
--- a/detections/endpoint/windows_modify_registry_proxyenable.yml
+++ b/detections/endpoint/windows_modify_registry_proxyenable.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry key "ProxyEnable" to enable proxy settings. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the "Internet Settings\ProxyEnable" registry path. This activity is significant as it is commonly exploited by malware and adversaries to establish proxy communication, potentially connecting to malicious Command and Control (C2) servers. If confirmed malicious, this could allow attackers to redirect network traffic through a proxy, facilitating unauthorized communication and data exfiltration, thereby compromising the security of the affected host.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\Internet Settings\\ProxyEnable"  Registry.registry_value_data = 0x00000001 by  Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_proxyenable_filter`'
diff --git a/detections/endpoint/windows_modify_registry_proxyserver.yml b/detections/endpoint/windows_modify_registry_proxyserver.yml
index cfaf0230e6..7e6f844128 100644
--- a/detections/endpoint/windows_modify_registry_proxyserver.yml
+++ b/detections/endpoint/windows_modify_registry_proxyserver.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry key for setting up a proxy server. It leverages data from the Endpoint.Registry datamodel, focusing on changes to the "Internet Settings\\ProxyServer" registry path. This activity is significant as it can indicate malware or adversaries configuring a proxy to facilitate unauthorized communication with Command and Control (C2) servers. If confirmed malicious, this could allow attackers to establish persistent, covert channels for data exfiltration or further exploitation of the compromised host.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\Internet Settings\\ProxyServer" by  Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_proxyserver_filter`'
diff --git a/detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml b/detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml
index af0c18bb47..ec93b20920 100644
--- a/detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml
+++ b/detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml
@@ -7,7 +7,6 @@ status: production
 type: Anomaly
 description: The following analytic detects modifications in the Windows registry to suppress Windows Defender notifications. It leverages data from the Endpoint.Registry datamodel, specifically targeting changes to the "Notification_Suppress" registry value. This activity is significant because adversaries, including those deploying Azorult malware, use this technique to bypass Windows Defender and disable critical notifications. If confirmed malicious, this behavior could allow attackers to evade detection, maintain persistence, and execute further malicious activities without alerting the user or security tools.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\UX Configuration\\Notification_Suppress*" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_suppress_win_defender_notif_filter`'
 how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.
diff --git a/detections/endpoint/windows_modify_registry_tamper_protection.yml b/detections/endpoint/windows_modify_registry_tamper_protection.yml
index a86d628c3c..883688b690 100644
--- a/detections/endpoint/windows_modify_registry_tamper_protection.yml
+++ b/detections/endpoint/windows_modify_registry_tamper_protection.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects a suspicious modification to the Windows Defender Tamper Protection registry setting. It leverages data from the Endpoint datamodel, specifically targeting changes where the registry path is set to disable Tamper Protection. This activity is significant because disabling Tamper Protection can allow adversaries to make further undetected changes to Windows Defender settings, potentially leading to reduced security on the system. If confirmed malicious, this could enable attackers to evade detection, persist in the environment, and execute further malicious activities without interference from Windows Defender.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Microsoft\\Windows Defender\\Features\\TamperProtection" AND Registry.registry_value_data="0x00000000" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_tamper_protection_filter`'
diff --git a/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml b/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml
index 98aa55404b..2b307e71f7 100644
--- a/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml
+++ b/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml
@@ -4,7 +4,6 @@ version: 2
 date: '2024-09-30'
 author: Teoderick Contreras, Splunk
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 - Sysmon EventID 14
 type: Anomaly
diff --git a/detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml b/detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml
index c586a844df..751e8632c2 100644
--- a/detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml
+++ b/detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects a suspicious modification to the Windows Update configuration registry key, specifically targeting the UpdateServiceUrlAlternate setting. It leverages data from the Endpoint.Registry datamodel to identify changes to this registry path. This activity is significant because adversaries, including malware like RedLine Stealer, exploit this technique to bypass detection and deploy additional payloads. If confirmed malicious, this modification could allow attackers to redirect update services, potentially leading to the execution of malicious code, further system compromise, and persistent evasion of security defenses.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\UpdateServiceUrlAlternate" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_updateserviceurlalternate_filter`'
diff --git a/detections/endpoint/windows_modify_registry_usewuserver.yml b/detections/endpoint/windows_modify_registry_usewuserver.yml
index 47ffab75a4..1e02e0ac7f 100644
--- a/detections/endpoint/windows_modify_registry_usewuserver.yml
+++ b/detections/endpoint/windows_modify_registry_usewuserver.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: Hunting
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects a suspicious modification to the Windows Update configuration registry key "UseWUServer." It leverages data from the Endpoint.Registry data model to identify changes where the registry value is set to "0x00000001." This activity is significant because it is commonly used by adversaries, including malware like RedLine Stealer, to bypass detection mechanisms and potentially exploit zero-day vulnerabilities. If confirmed malicious, this modification could allow attackers to evade defenses, persist on the target host, and deploy additional malicious payloads.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\UseWUServer" AND Registry.registry_value_data="0x00000001" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_usewuserver_filter`'
diff --git a/detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml b/detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml
index 57f0770928..c7bca4ca0b 100644
--- a/detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml
+++ b/detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml
@@ -4,7 +4,6 @@ version: 3
 date: '2024-09-30'
 author: Teoderick Contreras, Splunk
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 type: TTP
 status: production
diff --git a/detections/endpoint/windows_modify_registry_with_md5_reg_key_name.yml b/detections/endpoint/windows_modify_registry_with_md5_reg_key_name.yml
index 15ce62d82f..2777250234 100644
--- a/detections/endpoint/windows_modify_registry_with_md5_reg_key_name.yml
+++ b/detections/endpoint/windows_modify_registry_with_md5_reg_key_name.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects potentially malicious registry modifications characterized by MD5-like registry key names. It leverages the Endpoint data model to identify registry entries under the SOFTWARE path with 32-character hexadecimal names, a technique often used by NjRAT malware for fileless storage of keylogs and .DLL plugins. This activity is significant as it can indicate the presence of NjRAT or similar malware, which can lead to unauthorized data access and persistent threats within the environment. If confirmed malicious, attackers could maintain persistence and exfiltrate sensitive information.
 search: '| tstats `security_content_summariesonly`  count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where  Registry.registry_path = "*\\SOFTWARE\\*" Registry.registry_value_data = "Binary Data" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | eval dropped_reg_path = split(registry_path, "\\") | eval dropped_reg_path_split_count = mvcount(dropped_reg_path) | eval validation_result= if(match(registry_value_name,"^[0-9a-fA-F]{32}$"),"md5","nonmd5") | where validation_result = "md5" AND dropped_reg_path_split_count <= 5 | table dest user registry_path registry_value_name registry_value_data registry_key_name reg_key_name dropped_reg_path_split_count validation_result | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_with_md5_reg_key_name_filter`'
diff --git a/detections/endpoint/windows_modify_registry_wuserver.yml b/detections/endpoint/windows_modify_registry_wuserver.yml
index a65e07e766..acc604be92 100644
--- a/detections/endpoint/windows_modify_registry_wuserver.yml
+++ b/detections/endpoint/windows_modify_registry_wuserver.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: Hunting
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects suspicious modifications to the Windows Update Server (WUServer) registry settings. It leverages data from the Endpoint.Registry data model to identify changes in the registry path associated with Windows Update configurations. This activity is significant because adversaries, including malware like RedLine Stealer, exploit this technique to bypass detection and deploy additional payloads. If confirmed malicious, this registry modification could allow attackers to evade defenses, potentially leading to further system compromise and persistent unauthorized access.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\WUServer" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_wuserver_filter`'
diff --git a/detections/endpoint/windows_modify_registry_wustatusserver.yml b/detections/endpoint/windows_modify_registry_wustatusserver.yml
index a2607e2686..a98858f7b5 100644
--- a/detections/endpoint/windows_modify_registry_wustatusserver.yml
+++ b/detections/endpoint/windows_modify_registry_wustatusserver.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: Hunting
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic identifies suspicious modifications to the Windows Update configuration registry, specifically targeting the WUStatusServer key. It leverages data from the Endpoint datamodel to detect changes in the registry path associated with Windows Update settings. This activity is significant as it is commonly used by adversaries, including malware like RedLine Stealer, to bypass detection and deploy additional payloads. If confirmed malicious, this modification could allow attackers to evade defenses, potentially leading to further system compromise and persistent unauthorized access.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\WUStatusServer" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_wustatusserver_filter`'
diff --git a/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml b/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml
index 9beb76498d..0e9fc581c5 100644
--- a/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml
+++ b/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic detects suspicious modifications to the Windows registry keys related to file compression color and information tips. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the "ShowCompColor" and "ShowInfoTip" values under the "Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" path. This activity is significant as it was observed in the Hermetic Wiper malware, indicating potential malicious intent to alter file attributes and user interface elements. If confirmed malicious, this could signify an attempt to manipulate file visibility and deceive users, potentially aiding in further malicious activities.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced*" AND Registry.registry_value_name  IN("ShowCompColor", "ShowInfoTip")) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_show_compress_color_and_info_tip_registry_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709
diff --git a/detections/endpoint/windows_mshta_execution_in_registry.yml b/detections/endpoint/windows_mshta_execution_in_registry.yml
index f3b4fbd668..c471b7bf66 100644
--- a/detections/endpoint/windows_mshta_execution_in_registry.yml
+++ b/detections/endpoint/windows_mshta_execution_in_registry.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic detects the execution of mshta.exe via registry entries to run malicious scripts. It leverages registry activity logs to identify entries containing "mshta," "javascript," "vbscript," or "WScript.Shell." This behavior is significant as it indicates potential fileless malware, such as Kovter, which uses encoded scripts in the registry to persist and execute without files. If confirmed malicious, this activity could allow attackers to maintain persistence, execute arbitrary code, and evade traditional file-based detection methods, posing a significant threat to system integrity and security.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_value_data = "*mshta*" OR Registry.registry_value_data IN ("*javascript:*", "*vbscript:*","*WScript.Shell*") by Registry.registry_key_name Registry.registry_path Registry.registry_value_data Registry.action Registry.dest Registry.user| `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mshta_execution_in_registry_filter`'
 how_to_implement: To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.
diff --git a/detections/endpoint/windows_njrat_fileless_storage_via_registry.yml b/detections/endpoint/windows_njrat_fileless_storage_via_registry.yml
index b1fdbd9389..aecbd10aeb 100644
--- a/detections/endpoint/windows_njrat_fileless_storage_via_registry.yml
+++ b/detections/endpoint/windows_njrat_fileless_storage_via_registry.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects suspicious registry modifications indicative of NjRat's fileless storage technique. It leverages the Endpoint.Registry data model to identify specific registry paths and values commonly used by NjRat for keylogging and executing DLL plugins. This activity is significant as it helps evade traditional file-based detection systems, making it crucial for SOC analysts to monitor. If confirmed malicious, this behavior could allow attackers to persist on the host, execute arbitrary code, and capture sensitive keystrokes, leading to potential data breaches and further system compromise.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\[kl]" OR  Registry.registry_value_data IN ("*[ENTER]*", "*[TAP]*", "*[Back]*") by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name Registry.registry_value_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_njrat_fileless_storage_via_registry_filter`'
diff --git a/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml b/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml
index f00bde89c5..a7941c799f 100644
--- a/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml
+++ b/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml
@@ -7,7 +7,6 @@ status: production
 type: Hunting
 description: The following analytic detects the creation of registry artifacts when an ISO container is opened, clicked, or mounted on a Windows operating system. It leverages data from the Endpoint.Registry data model, specifically monitoring registry keys related to recent ISO or IMG file executions. This activity is significant as adversaries increasingly use container-based phishing campaigns to bypass macro-based document execution controls. If confirmed malicious, this behavior could indicate an initial access attempt, potentially leading to further exploitation, persistence, or data exfiltration within the environment.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_key_name= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs\\.iso" OR Registry.registry_key_name= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs\\.img" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_phishing_recent_iso_exec_registry_filter`'
 how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.
diff --git a/detections/endpoint/windows_proxy_via_registry.yml b/detections/endpoint/windows_proxy_via_registry.yml
index b55bf70c4a..6fc7e55cf8 100644
--- a/detections/endpoint/windows_proxy_via_registry.yml
+++ b/detections/endpoint/windows_proxy_via_registry.yml
@@ -6,7 +6,6 @@ author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects the modification of registry keys related to the Windows Proxy settings via netsh.exe. It leverages data from the Endpoint.Registry data model, focusing on changes to the registry path "*\\System\\CurrentControlSet\\Services\\PortProxy\\v4tov4\\tcp*". This activity is significant because netsh.exe can be used to establish a persistent proxy, potentially allowing an attacker to execute a helper DLL whenever netsh.exe runs. If confirmed malicious, this could enable the attacker to maintain persistence, manipulate network configurations, and potentially exfiltrate data or further compromise the system.
 search: '| tstats `security_content_summariesonly` count  min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path ="*\\System\\CurrentControlSet\\Services\\PortProxy\\v4tov4\\tcp*" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.action Registry.dest  Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_proxy_via_registry_filter`'
diff --git a/detections/endpoint/windows_registry_bootexecute_modification.yml b/detections/endpoint/windows_registry_bootexecute_modification.yml
index 9092966192..b8b79dd98c 100644
--- a/detections/endpoint/windows_registry_bootexecute_modification.yml
+++ b/detections/endpoint/windows_registry_bootexecute_modification.yml
@@ -6,7 +6,6 @@ author: Michael Haag, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects modifications to the BootExecute registry key, which manages applications and services executed during system boot. It leverages data from the Endpoint.Registry data model, focusing on changes to the registry path "HKLM\\System\\CurrentControlSet\\Control\\Session Manager\\BootExecute". This activity is significant because unauthorized changes to this key can indicate attempts to achieve persistence, load malicious code, or tamper with the boot process. If confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary code at boot, or disrupt system operations.
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path="HKLM\\System\\CurrentControlSet\\Control\\Session Manager\\BootExecute" BY _time span=1h Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid, Registry.action | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_registry_bootexecute_modification_filter`'
diff --git a/detections/endpoint/windows_registry_certificate_added.yml b/detections/endpoint/windows_registry_certificate_added.yml
index 3c56c7624c..8c1ecde6c7 100644
--- a/detections/endpoint/windows_registry_certificate_added.yml
+++ b/detections/endpoint/windows_registry_certificate_added.yml
@@ -7,7 +7,6 @@ status: production
 type: Anomaly
 description: The following analytic detects the installation of a root CA certificate by monitoring specific registry paths for SetValue events. It leverages data from the Endpoint datamodel, focusing on registry paths containing "certificates" and registry values named "Blob." This activity is significant because unauthorized root CA certificates can compromise the integrity of encrypted communications and facilitate man-in-the-middle attacks. If confirmed malicious, this could allow an attacker to intercept, decrypt, or manipulate sensitive data, leading to severe security breaches.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_path IN ("*\\certificates\\*") AND Registry.registry_value_name="Blob" by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.process_guid Registry.registry_key_name Registry.registry_value_data | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_registry_certificate_added_filter`'
 how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.
diff --git a/detections/endpoint/windows_registry_delete_task_sd.yml b/detections/endpoint/windows_registry_delete_task_sd.yml
index 0fd237d304..59f377af4f 100644
--- a/detections/endpoint/windows_registry_delete_task_sd.yml
+++ b/detections/endpoint/windows_registry_delete_task_sd.yml
@@ -7,7 +7,6 @@ status: production
 type: Anomaly
 description: The following analytic detects a process attempting to delete a scheduled task's Security Descriptor (SD) from the registry path of that task. It leverages the Endpoint.Registry data model to identify registry actions performed by the SYSTEM user, specifically targeting deletions or modifications of the SD value. This activity is significant as it may indicate an attempt to remove evidence of a scheduled task for defense evasion. If confirmed malicious, it suggests an attacker with privileged access trying to hide their tracks, potentially compromising system integrity and security. Immediate investigation is required.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_path IN ("*\\Schedule\\TaskCache\\Tree\\*") Registry.user="SYSTEM" Registry.registry_value_name="SD" (Registry.action=Deleted OR Registry.action=modified) by _time  Registry.dest Registry.process_guid Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_key_name Registry.registry_value_data Registry.status Registry.action | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_registry_delete_task_sd_filter`'
 how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.
diff --git a/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml b/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml
index 5ff5da6618..10e85e1b4b 100644
--- a/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml
+++ b/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic identifies modifications to the SafeBoot registry keys, specifically within the Minimal and Network paths. This detection leverages registry activity logs from endpoint data sources like Sysmon or EDR tools. Monitoring these keys is crucial as adversaries can use them to persist drivers or services in Safe Mode, with Network allowing network connections. If confirmed malicious, this activity could enable attackers to maintain persistence even in Safe Mode, potentially bypassing certain security measures and facilitating further malicious actions.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_path IN ("*SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Minimal\\*","*SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Network\\*") by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.process_guid Registry.registry_key_name Registry.registry_value_data | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_registry_modification_for_safe_mode_persistence_filter`'
 how_to_implement: To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.
diff --git a/detections/endpoint/windows_registry_sip_provider_modification.yml b/detections/endpoint/windows_registry_sip_provider_modification.yml
index 9153e56a8e..fa52bee969 100644
--- a/detections/endpoint/windows_registry_sip_provider_modification.yml
+++ b/detections/endpoint/windows_registry_sip_provider_modification.yml
@@ -6,7 +6,6 @@ author: Michael Haag, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows Registry SIP Provider. It leverages Sysmon EventID 7 to monitor registry changes in paths and values related to Cryptography Providers and OID Encoding Types. This activity is significant as it may indicate an attempt to subvert trust controls, a common tactic for bypassing security measures and maintaining persistence. If confirmed malicious, an attacker could manipulate the system's cryptographic functions, potentially leading to unauthorized access, data theft, or other damaging outcomes. Review the modified registry paths and concurrent processes to identify the attack source.
 search: '| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path IN ("*\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\*", "*\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType*", "*\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\Providers\\*", "*\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType*") Registry.registry_value_name IN ("Dll","$DLL") by Registry.dest , Registry.user Registry.registry_value_name, Registry.registry_value_data | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)`| `windows_registry_sip_provider_modification_filter`'
diff --git a/detections/endpoint/windows_remote_access_software_rms_registry.yml b/detections/endpoint/windows_remote_access_software_rms_registry.yml
index 1cec86a666..df5b6a9ddf 100644
--- a/detections/endpoint/windows_remote_access_software_rms_registry.yml
+++ b/detections/endpoint/windows_remote_access_software_rms_registry.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic detects the creation or modification of Windows registry entries related to the Remote Manipulator System (RMS) Remote Admin tool. It leverages data from the Endpoint.Registry datamodel, focusing on registry paths containing "SYSTEM\\Remote Manipulator System." This activity is significant because RMS, while legitimate, is often abused by adversaries, such as in the Azorult malware campaigns, to gain unauthorized remote access. If confirmed malicious, this could allow attackers to remotely control the targeted host, leading to potential data exfiltration, system manipulation, or further network compromise.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\SYSTEM\\Remote Manipulator System*" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_access_software_rms_registry_filter`'
 how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.
diff --git a/detections/endpoint/windows_remote_services_allow_remote_assistance.yml b/detections/endpoint/windows_remote_services_allow_remote_assistance.yml
index 6f2c01b2d6..51a884c1da 100644
--- a/detections/endpoint/windows_remote_services_allow_remote_assistance.yml
+++ b/detections/endpoint/windows_remote_services_allow_remote_assistance.yml
@@ -7,7 +7,6 @@ status: production
 type: Anomaly
 description: The following analytic detects modifications in the Windows registry to enable remote desktop assistance on a targeted machine. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the "Control\\Terminal Server\\fAllowToGetHelp" registry path. This activity is significant because enabling remote assistance via registry is uncommon and often associated with adversaries or malware like Azorult. If confirmed malicious, this could allow an attacker to remotely access and control the compromised host, leading to potential data exfiltration or further system compromise.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Control\\Terminal Server\\fAllowToGetHelp*" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_services_allow_remote_assistance_filter`'
 how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.
diff --git a/detections/endpoint/windows_remote_services_rdp_enable.yml b/detections/endpoint/windows_remote_services_rdp_enable.yml
index e5a72f5fab..15663f8817 100644
--- a/detections/endpoint/windows_remote_services_rdp_enable.yml
+++ b/detections/endpoint/windows_remote_services_rdp_enable.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic detects modifications in the Windows registry to enable Remote Desktop Protocol (RDP) on a targeted machine. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the "fDenyTSConnections" registry value. This activity is significant as enabling RDP via registry is uncommon and often associated with adversaries or malware attempting to gain remote access. If confirmed malicious, this could allow attackers to remotely control the compromised host, potentially leading to further exploitation and lateral movement within the network.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Control\\Terminal Server\\fDenyTSConnections*" Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_services_rdp_enable_filter`'
 how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.
diff --git a/detections/endpoint/windows_service_creation_using_registry_entry.yml b/detections/endpoint/windows_service_creation_using_registry_entry.yml
index 416aa51004..7bea3ff9dd 100644
--- a/detections/endpoint/windows_service_creation_using_registry_entry.yml
+++ b/detections/endpoint/windows_service_creation_using_registry_entry.yml
@@ -7,7 +7,6 @@ status: production
 type: TTP
 description: The following analytic detects the modification of registry keys that define Windows services using reg.exe. This detection leverages Splunk to search for specific keywords in the registry path, value name, and value data fields. This activity is significant because it indicates potential unauthorized changes to service configurations, a common persistence technique used by attackers. If confirmed malicious, this could allow an attacker to maintain access, escalate privileges, or move laterally within the network, leading to data theft, ransomware, or other damaging outcomes.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\SYSTEM\\CurrentControlSet\\Services*" Registry.registry_value_name = ImagePath) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_creation_using_registry_entry_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709
diff --git a/detections/endpoint/windows_service_deletion_in_registry.yml b/detections/endpoint/windows_service_deletion_in_registry.yml
index 95df38040e..a369a88aa2 100644
--- a/detections/endpoint/windows_service_deletion_in_registry.yml
+++ b/detections/endpoint/windows_service_deletion_in_registry.yml
@@ -7,7 +7,6 @@ status: production
 type: Anomaly
 description: The following analytic detects the deletion of a service from the Windows Registry under CurrentControlSet\Services. It leverages data from the Endpoint.Registry datamodel, specifically monitoring registry paths and actions related to service deletion. This activity is significant as adversaries may delete services to evade detection and hinder incident response efforts. If confirmed malicious, this action could disrupt legitimate services, impair system functionality, and potentially allow attackers to maintain a lower profile within the environment, complicating detection and remediation efforts.
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\SYSTEM\\CurrentControlSet\\Services*" AND (Registry.action = deleted OR (Registry.registry_value_name = DeleteFlag AND Registry.registry_value_data = 0x00000001 AND Registry.action=modified)) by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_value_name Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_deletion_in_registry_filter`'
 how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.
diff --git a/detections/endpoint/windows_snake_malware_registry_modification_wav_openwithprogids.yml b/detections/endpoint/windows_snake_malware_registry_modification_wav_openwithprogids.yml
index a318f03a78..42cffee82a 100644
--- a/detections/endpoint/windows_snake_malware_registry_modification_wav_openwithprogids.yml
+++ b/detections/endpoint/windows_snake_malware_registry_modification_wav_openwithprogids.yml
@@ -6,7 +6,6 @@ author: Michael Haag, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
 - Sysmon EventID 13
 description: The following analytic identifies modifications to the registry path .wav\\OpenWithProgIds, associated with the Snake Malware campaign. It leverages data from the Endpoint.Registry datamodel to detect changes in this specific registry location. This activity is significant because Snake's WerFault.exe uses this registry path to decrypt an encrypted blob containing critical components like the AES key, IV, and paths for its kernel driver and loader. If confirmed malicious, this could allow the attacker to load and execute Snake's kernel driver, leading to potential system compromise and persistent access.
 search: '| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\.wav\\OpenWithProgIds\\*"  by Registry.dest  Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_snake_malware_registry_modification_wav_openwithprogids_filter`'