[Rule Tuning] Windows Misc Tuning (#4870)

* [Rule Tuning] Windows Misc Tuning

* Update execution_command_shell_started_by_svchost.toml

* bump

* Update rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml

* Update defense_evasion_persistence_account_tokenfilterpolicy.toml

rules/windows/execution_command_shell_started_by_svchost.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/07/02"
 
 [transform]
 [[transform.osquery]]
@@ -124,10 +124,36 @@ type = "new_terms"
 query = '''
 host.os.type:windows and event.category:process and event.type:start and process.parent.name:"svchost.exe" and
 process.name:("cmd.exe" or "Cmd.exe" or "CMD.EXE") and
-not process.command_line : "\"cmd.exe\" /C sc control hptpsmarthealthservice 211"
+
+  not process.command_line : "\"cmd.exe\" /C sc control hptpsmarthealthservice 211"
 '''
 
 
+[[rule.filters]]
+
+[rule.filters.meta]
+negate = true
+[rule.filters.query.wildcard."process.command_line"]
+case_insensitive = true
+value = "*SysVol*WindowsDefenderATPOnboardingScript.cmd*"
+
+[[rule.filters]]
+
+[rule.filters.meta]
+negate = true
+[rule.filters.query.wildcard."process.command_line"]
+case_insensitive = true
+value = "\"cmd.exe\" /d /c C:\\\\???????\\\\system32\\\\hpatchmonTask.cmd"
+
+[[rule.filters]]
+
+[rule.filters.meta]
+negate = true
+[rule.filters.query.wildcard."process.command_line"]
+case_insensitive = true
+value = "\"C:\\\\???????\\\\system32\\\\cmd.exe\" /d /c C:\\\\???????\\\\system32\\\\hpatchmonTask.cmd"
+
+
 [[rule.filters]]
 
 [rule.filters.meta]
@@ -158,6 +184,7 @@ case_insensitive = true
 value = """
 cmd /C ".\\inetsrv\\iissetup.exe /keygen "
 """
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]