From 86229c826b1a2b969c0f7a420beac9c1e8fdc282 Mon Sep 17 00:00:00 2001
From: QuantumByte-01 <150924480+QuantumByte-01@users.noreply.github.com>
Date: Tue, 31 Mar 2026 22:16:51 +0530
Subject: [PATCH] Fix false positive in persist via Windows service rule

Fixes #1100

Adds constraint to the registry-based persistence detection to avoid
matching unrelated registry modifications like NetbiosOptions.

The rule now requires the registry value being set to be either
ImagePath or StartType, which are the registry keys used for actual
service binary path persistence, not arbitrary NetBT parameters.

This prevents false positives while maintaining detection of legitimate
Windows service persistence mechanisms.
---
 persistence/service/persist-via-windows-service.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/persistence/service/persist-via-windows-service.yml b/persistence/service/persist-via-windows-service.yml
index 7bd333ffd..5e324ca4d 100644
--- a/persistence/service/persist-via-windows-service.yml
+++ b/persistence/service/persist-via-windows-service.yml
@@ -39,4 +39,7 @@ rule:
           - string: /New-Service /i
       - and:
         - match: set registry value
-        - string: /System\\(ControlSet\d{3}|CurrentControlSet)\\Services/i
+        - string: /System\(ControlSet\d{3}|CurrentControlSet)\Services/i
+        - or:
+          - string: /ImagePath/i
+          - string: /StartType/i