From 5a18a6cea241dbe1874fcfeb7a4a92fc1ff4706c Mon Sep 17 00:00:00 2001
From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Date: Tue, 2 Apr 2024 06:35:14 -0300
Subject: [PATCH] [Rule Tuning] Potential Application Shimming via Sdbinst
 (#3553)

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit c7813761884a7a75a84d8a0fd9456ef7d8e7a27e)
---
 rules/windows/persistence_via_application_shimming.toml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/windows/persistence_via_application_shimming.toml b/rules/windows/persistence_via_application_shimming.toml
index 3ee7c1121..de2cfc044 100644
--- a/rules/windows/persistence_via_application_shimming.toml
+++ b/rules/windows/persistence_via_application_shimming.toml
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/28"
+updated_date = "2024/04/01"
 
 [rule]
 author = ["Elastic"]
@@ -35,6 +35,7 @@ type = "eql"
 
 query = '''
 process where host.os.type == "windows" and event.type == "start" and process.name : "sdbinst.exe" and
+  process.args : "?*" and
   not (process.args : "-m" and process.args : "-bg") and
   not process.args : "-mm"
 '''