From 8d3ec2b8a3ed2a00645fce573c52ff24dd78c4fb Mon Sep 17 00:00:00 2001
From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Date: Thu, 1 Aug 2024 14:06:08 -0300
Subject: [PATCH] [Rule Tuning] Sensitive Registry Hive Access via RegBack
 (#3947)

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
---
 .../credential_access_regback_sam_security_hives.toml      | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/rules/windows/credential_access_regback_sam_security_hives.toml b/rules/windows/credential_access_regback_sam_security_hives.toml
index d1cc0ef00..c07317274 100644
--- a/rules/windows/credential_access_regback_sam_security_hives.toml
+++ b/rules/windows/credential_access_regback_sam_security_hives.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/07/01"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/07/01"
+updated_date = "2024/08/01"
 
 [rule]
 author = ["Elastic"]
@@ -70,7 +70,10 @@ file where host.os.type == "windows" and
       ("?:\\Windows\\System32\\config\\RegBack\\SAM",
        "?:\\Windows\\System32\\config\\RegBack\\SECURITY",
        "?:\\Windows\\System32\\config\\RegBack\\SYSTEM") and 
- not (user.id == "S-1-5-18" and process.executable : "?:\\Windows\\system32\\taskhostw.exe")
+ not (
+    user.id == "S-1-5-18" and process.executable : (
+        "?:\\Windows\\system32\\taskhostw.exe", "?:\\Windows\\system32\\taskhost.exe"
+    ))
 '''