From 48b8c371977af58d96ec43c7754c4d4866243f98 Mon Sep 17 00:00:00 2001
From: rabbitstack <rabbitstack7@gmail.com>
Date: Tue, 19 May 2026 20:54:50 +0200
Subject: [PATCH] fix(rules): Add HKEY_USERS windir/systemroot wildcard matches

---
 ...ake_system_root_environment_variable_manipulation.yml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/rules/privilege_escalation_fake_system_root_environment_variable_manipulation.yml b/rules/privilege_escalation_fake_system_root_environment_variable_manipulation.yml
index be2281774..f06e6594c 100644
--- a/rules/privilege_escalation_fake_system_root_environment_variable_manipulation.yml
+++ b/rules/privilege_escalation_fake_system_root_environment_variable_manipulation.yml
@@ -1,6 +1,6 @@
 name: Fake system root environment variable manipulation
 id: 15613558-14cc-4d00-b13e-392df61e29c4
-version: 1.0.0
+version: 1.0.1
 description: |
   Identifies attempts to manipulate user-scoped Windows directory registry values
   to point to non-standard locations, a technique commonly abused to fake the system
@@ -20,6 +20,8 @@ condition: >
   ps.sid != 'S-1-5-18' and
   registry.path imatches
                 (
+                  'HKEY_USERS\\*\\windir',
+                  'HKEY_USERS\\*\\systemroot',
                   'HKEY_CURRENT_USER\\*\\windir',
                   'HKEY_CURRENT_USER\\*\\systemroot'
                 ) and
@@ -29,7 +31,10 @@ condition: >
                   '?SystemRoot?'
                 ) and
    registry.path not imatches 'HKEY_CURRENT_USER\\*\\SOFTWARE\\*'
-
+action:
+  - name: kill
+  
 severity: high
 
+
 min-engine-version: 3.0.0