From 4aa6c4e71520b97fdc718dca14fa17d57dc92a4e Mon Sep 17 00:00:00 2001
From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Date: Fri, 5 Sep 2025 06:12:30 -0700
Subject: [PATCH] [Rule Tuning] Untrusted Driver Loaded (#5061)

* [Rule Tuning] Untrusted Driver Loaded

* Update defense_evasion_untrusted_driver_loaded.toml
---
 rules/windows/defense_evasion_untrusted_driver_loaded.toml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/defense_evasion_untrusted_driver_loaded.toml b/rules/windows/defense_evasion_untrusted_driver_loaded.toml
index cdea35a2d..c9a0df30c 100644
--- a/rules/windows/defense_evasion_untrusted_driver_loaded.toml
+++ b/rules/windows/defense_evasion_untrusted_driver_loaded.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/01/27"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/02/03"
+updated_date = "2025/09/04"
 
 [transform]
 [[transform.osquery]]
@@ -112,7 +112,7 @@ type = "eql"
 
 query = '''
 driver where host.os.type == "windows" and process.pid == 4 and
-  dll.code_signature.trusted != true and 
+  (dll.code_signature.trusted == false or dll.code_signature.exists == false) and
   not dll.code_signature.status : ("errorExpired", "errorRevoked", "errorCode_endpoint:*")
 '''