From be54140485945dd92b03fff1b294665ee68bf6e9 Mon Sep 17 00:00:00 2001
From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Date: Wed, 5 Feb 2025 17:32:57 -0300
Subject: [PATCH] [Rule Tuning] SMB Connections via LOLBin or Untrusted Process
 (#4444)

---
 .../lateral_movement_direct_outbound_smb_connection.toml   | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml
index 6254487fd..b12114c9f 100644
--- a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml
+++ b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/02/03"
+updated_date = "2025/02/04"
 
 [transform]
 [[transform.osquery]]
@@ -122,7 +122,7 @@ sequence by process.entity_id with maxspan=1m
   [process where host.os.type == "windows" and event.type == "start" and process.pid != 4 and
 
     /* ignore NT Authority and Network Service accounts */
-    not user.id : ("S-1-5-19", "S-1-5-20") and
+    not user.id in ("S-1-5-19", "S-1-5-20") and
 
     /* filter out anything trusted but not from Microsoft */
     /* LOLBins will be inherently trusted and signed, so ignore everything else trusted */
@@ -135,9 +135,6 @@ sequence by process.entity_id with maxspan=1m
 
   /* second sequence to capture network connections over port 445 related to SMB */
   [network where host.os.type == "windows" and destination.port == 445 and process.pid != 4]
-
-/* end the sequence when the process ends where joining was on process.entity_id */
-until [process where host.os.type == "windows" and event.type == "end"]
 '''