From a495b4b9b2ff731f874596d22915d29b45d4efe2 Mon Sep 17 00:00:00 2001
From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Date: Tue, 22 Apr 2025 11:59:06 -0300
Subject: [PATCH] [Rule Tuning] Potential DLL Side-Loading via Trusted
 Microsoft Programs (#4627)

---
 ...fense_evasion_execution_suspicious_explorer_winword.toml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml
index 90ccf139c..e6b7bc643 100644
--- a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml
+++ b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/09/03"
 integration = ["endpoint", "windows", "m365_defender"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/04/16"
 
 [rule]
 author = ["Elastic"]
@@ -87,9 +87,9 @@ query = '''
 process where host.os.type == "windows" and event.type == "start" and
   process.pe.original_file_name in ("WinWord.exe", "EXPLORER.EXE", "w3wp.exe", "DISM.EXE") and 
   not process.executable : ("?:\\Windows\\explorer.exe", 
-                            "?:\\Windows\\SyWOW64\\explorer.exe",
+                            "?:\\Windows\\SysWOW64\\explorer.exe",
                             "?:\\Program Files\\Microsoft Office\\root\\Office*\\WINWORD.EXE", 
-                            "?:\\Program Files?(x86)\\Microsoft Office\\root\\Office*\\WINWORD.EXE", 
+                            "?:\\Program Files (x86)\\Microsoft Office\\root\\Office*\\WINWORD.EXE", 
                             "?:\\Windows\\System32\\Dism.exe", 
                             "?:\\Windows\\SysWOW64\\Dism.exe",  
                             "?:\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\amd64\\DISM\\dism.exe",