From e761beb0a0646efd11f63d1e7263bc0b8a298324 Mon Sep 17 00:00:00 2001
From: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Date: Fri, 14 Oct 2022 13:25:02 +0530
Subject: [PATCH] Rule Tuning on Potential Application Shimming via Sdbinst
 (#2355)

---
 rules/windows/persistence_via_application_shimming.toml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/rules/windows/persistence_via_application_shimming.toml b/rules/windows/persistence_via_application_shimming.toml
index 12a8283aa..05665376e 100644
--- a/rules/windows/persistence_via_application_shimming.toml
+++ b/rules/windows/persistence_via_application_shimming.toml
@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/15"
+updated_date = "2022/10/13"
 
 [rule]
 author = ["Elastic"]
@@ -29,7 +29,9 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-process where event.type == "start" and process.name : "sdbinst.exe"
+process where event.type == "start" and process.name : "sdbinst.exe" and 
+  not (process.args : "-m" and process.args : "-bg") and 
+  not process.args : "-mm"
 '''