From 7e21058c715b1bb65ea0dd0cb428629c62070539 Mon Sep 17 00:00:00 2001
From: jorik <47347649+jorik-utwente@users.noreply.github.com>
Date: Tue, 3 Dec 2024 11:57:43 +0100
Subject: [PATCH] improve filter handler rule

---
 nursery/persist-via-filter-handlers-registry-key.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/nursery/persist-via-filter-handlers-registry-key.yml b/nursery/persist-via-filter-handlers-registry-key.yml
index 116f71d9..53c0d8c3 100644
--- a/nursery/persist-via-filter-handlers-registry-key.yml
+++ b/nursery/persist-via-filter-handlers-registry-key.yml
@@ -14,6 +14,6 @@ rule:
   features:
     - and:
       - match: set registry value
-      - string: /\\\.(.*?)\\Handler/i
-      - optional:
-        - match: persist via COM hijack
+      - or:
+        - string: /\\\..*\\PersistentHandler/i
+        - string: /CLSID\\.*\\PersistentHandler/i