From a9d0d79a5b3d93f513eae6f0d171a400170671b9 Mon Sep 17 00:00:00 2001
From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Date: Fri, 10 Apr 2026 11:47:27 -0300
Subject: [PATCH] [Rule Tuning] Process Created with an Elevated Token (#5934)

---
 rules/windows/privilege_escalation_via_token_theft.toml | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/rules/windows/privilege_escalation_via_token_theft.toml b/rules/windows/privilege_escalation_via_token_theft.toml
index d6c46d380..b5d32b461 100644
--- a/rules/windows/privilege_escalation_via_token_theft.toml
+++ b/rules/windows/privilege_escalation_via_token_theft.toml
@@ -2,7 +2,7 @@
 creation_date = "2022/10/20"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2026/01/07"
+updated_date = "2026/04/08"
 
 [rule]
 author = ["Elastic"]
@@ -34,8 +34,6 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-/* This rule is only compatible with Elastic Endpoint 8.4+ */
-
 process where host.os.type == "windows" and event.action == "start" and
 
  /* CreateProcessWithToken and effective parent is a privileged MS native binary used as a target for token theft */
@@ -49,7 +47,7 @@ process where host.os.type == "windows" and event.action == "start" and
       process.parent.executable : "?:\\Windows\\System32\\Utilman.exe" and process.parent.args : "/debug") and
 
 /* Ignores Windows print spooler service with correlation to Access Intelligent Form */
-not (process.parent.executable : ("?\\Windows\\System32\\spoolsv.exe", "C:\\Windows\\System32\\PrintIsolationHost.exe") and
+not (process.parent.executable : ("?:\\Windows\\System32\\spoolsv.exe", "?:\\Windows\\System32\\PrintIsolationHost.exe") and
      process.executable: ("?:\\Program Files\\*.exe",
                           "?:\\Program Files (x86)\\*.exe",
                           "?:\\Windows\\System32\\spool\\drivers\\*.exe",