[Rule Tuning] Misc Windows Tuning (#5990)

* [Rule Tuning] Misc Windows Tuning

* Apply suggestions from code review

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update defense_evasion_msbuild_making_network_connections.toml

* Update defense_evasion_msbuild_making_network_connections.toml

rules/windows/defense_evasion_msbuild_making_network_connections.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/30"
 
 [transform]
 [[transform.osquery]]
@@ -130,10 +130,6 @@ sequence by process.entity_id with maxspan=30s
   /* Exclude domains that are known to be benign */
   [network where host.os.type == "windows" and
     event.action: ("connection_attempted", "lookup_requested") and
-    (
-      process.pe.original_file_name: "MSBuild.exe" or
-      process.name: "MSBuild.exe"
-    ) and
     not user.id == "S-1-5-18" and
     not cidrmatch(destination.ip, "127.0.0.1", "::1") and
     not dns.question.name : (

rules/windows/lateral_movement_execution_via_file_shares_sequence.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/11/03"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/27"
 
 [transform]
 [[transform.osquery]]
@@ -124,18 +124,23 @@ sequence with maxspan=1m
               "ZOHO Corporation Private Limited",
               "BeyondTrust Corporation", 
               "CyberArk Software Ltd.", 
-              "Sophos Ltd"
+              "Sophos Ltd",
+              "AO Kaspersky Lab",
+              "Anthropic, PBC",
+              "Adobe Inc.",
+              "Netwrix Corporation"
         )
       ) or
       (
         process.executable : (
           "?:\\Windows\\ccmsetup\\ccmsetup.exe",
-          "?:\\Windows\\SoftwareDistribution\\Download\\Install\\AM_Delta*.exe",
-          "?:\\Windows\\CAInvokerService.exe"
+          "?:\\Windows\\SoftwareDistribution\\Download\\Install\\*.exe",
+          "?:\\Windows\\CAInvokerService.exe",
+          "?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\*\\OneDriveSetup.exe"
         ) and process.code_signature.trusted == true
       ) or
       (
-        process.executable : "G:\\SMS_*\\srvboot.exe" and 
+        process.executable : "?:\\SMS_*\\srvboot.exe" and 
         process.code_signature.trusted == true and process.code_signature.subject_name : "Microsoft Corporation"
       )
     )

rules/windows/persistence_scheduled_task_creation_winlog.toml

@@ -2,7 +2,7 @@
 creation_date = "2022/08/29"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/11/14"
+updated_date = "2026/04/27"
 
 [rule]
 author = ["Elastic"]
@@ -79,7 +79,15 @@ iam where host.os.type == "windows" and event.action == "scheduled-task-created"
               "\\Hewlett-Packard\\HP Web Products Detection",
               "\\Microsoft\\VisualStudio\\Updates\\BackgroundDownload",
               "\\OneDrive Standalone Update Task-S-1-5-21*",
-              "\\OneDrive Standalone Update Task-S-1-12-1-*"
+              "\\OneDrive Standalone Update Task-S-1-12-1-*",
+              "\\SoftLanding\\S-1-5-21-*\\SoftLanding*",
+              "\\SoftLanding\\S-1-12-*\\SoftLanding*",
+              "\\OneDrive Reporting Task-S-1-5-21-*",
+              "\\OneDrive Reporting Task-S-1-12-1-*",
+              "\\GoogleUserPEH\\RunPlatformExperienceHelper*",
+              "\\Mozilla\\Firefox Default Browser Agent*",
+              "\\Microsoft\\Office\\Office Background Push Maintenance",
+              "\\Microsoft\\Windows\\GroupPolicy\\GPUpdate"
  )
 '''