From dd918b1f8050b6444fce210fa857ddaee7faf17e Mon Sep 17 00:00:00 2001
From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Date: Mon, 1 Sep 2025 05:09:31 -0700
Subject: [PATCH] [Rule Tuning] Suspicious DLL Loaded for Persistence or
 Privilege Escalation (#5039)

---
 .../privilege_escalation_persistence_phantom_dll.toml       | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/rules/windows/privilege_escalation_persistence_phantom_dll.toml b/rules/windows/privilege_escalation_persistence_phantom_dll.toml
index 84b326796..0e7351cbc 100644
--- a/rules/windows/privilege_escalation_persistence_phantom_dll.toml
+++ b/rules/windows/privilege_escalation_persistence_phantom_dll.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/01/07"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2025/05/05"
+updated_date = "2025/08/29"
 
 [rule]
 author = ["Elastic"]
@@ -106,8 +106,8 @@ any where host.os.type == "windows" and
       ?dll.code_signature.trusted != true or
       ?dll.code_signature.exists != true or
       (
-        dll.code_signature.trusted == true and
-          not dll.code_signature.subject_name : ("Microsoft Windows", "Microsoft Corporation", "Microsoft Windows Publisher")
+        ?dll.code_signature.trusted == true and
+          not ?dll.code_signature.subject_name : ("Microsoft Windows", "Microsoft Corporation", "Microsoft Windows Publisher")
       )
   ) or
    /* oci.dll is too noisy due to unsigned Oracle related DLL loaded from random dirs */