From 3de9456197a965f0d86a88fd580cdffbf8cc2ef1 Mon Sep 17 00:00:00 2001
From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Date: Fri, 1 Aug 2025 07:55:14 -0300
Subject: [PATCH] [Rule Tuning] Script Execution via Microsoft HTML Application
 (#4950)

---
 rules/windows/defense_evasion_script_via_html_app.toml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/defense_evasion_script_via_html_app.toml b/rules/windows/defense_evasion_script_via_html_app.toml
index 37e27fdbf..7fd0cb332 100644
--- a/rules/windows/defense_evasion_script_via_html_app.toml
+++ b/rules/windows/defense_evasion_script_via_html_app.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/09/09"
 integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/07/21"
 
 [rule]
 author = ["Elastic"]
@@ -100,7 +100,7 @@ process where host.os.type == "windows" and event.type == "start" and
      ) or
 
     (process.name : "mshta.exe" and
-     not process.command_line : ("*.hta*", "*.htm*", "-Embedding") and process.args_count >=2) or
+     not process.command_line : ("*.hta*", "*.htm*", "-Embedding") and ?process.args_count >=2) or
 
      /* Execution of HTA file downloaded from the internet */
      (process.name : "mshta.exe" and process.command_line : "*\\Users\\*\\Downloads\\*.hta*") or