[Rule Tuning] Suspicious DLL Loaded for Persistence or Privilege Escalation (#5039)

rules/windows/privilege_escalation_persistence_phantom_dll.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/01/07"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2025/05/05"
+updated_date = "2025/08/29"
 
 [rule]
 author = ["Elastic"]
@@ -106,8 +106,8 @@ any where host.os.type == "windows" and
       ?dll.code_signature.trusted != true or
       ?dll.code_signature.exists != true or
       (
-        dll.code_signature.trusted == true and
-          not dll.code_signature.subject_name : ("Microsoft Windows", "Microsoft Corporation", "Microsoft Windows Publisher")
+        ?dll.code_signature.trusted == true and
+          not ?dll.code_signature.subject_name : ("Microsoft Windows", "Microsoft Corporation", "Microsoft Windows Publisher")
       )
   ) or
    /* oci.dll is too noisy due to unsigned Oracle related DLL loaded from random dirs */