[Tuning] Svchost spawning Cmd (#5649)

* Update execution_command_shell_started_by_svchost.toml

* Update execution_command_shell_started_by_svchost.toml

rules/windows/execution_command_shell_started_by_svchost.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2026/01/15"
+updated_date = "2026/01/29"
 
 [transform]
 [[transform.osquery]]
@@ -122,68 +122,13 @@ timestamp_override = "event.ingested"
 type = "new_terms"
 
 query = '''
-host.os.type:windows and event.category:process and event.type:start and process.parent.name:"svchost.exe" and
-process.name:("cmd.exe" or "Cmd.exe" or "CMD.EXE") and
-
-  not process.command_line : "\"cmd.exe\" /C sc control hptpsmarthealthservice 211"
+host.os.type:windows and event.category:process and event.type:start and process.parent.name:svchost.exe and 
+process.name:(CMD.EXE or Cmd.exe or cmd.exe) and 
+process.command_line:(* and not "\"cmd.exe\" /C sc control hptpsmarthealthservice 211") and 
+not process.args:(".\inetsrv\iissetup.exe /keygen " or "C:\Program" or "C:\Program Files (x86)\Kaspersky Lab\NetworkAgent\klmover.exe" or "C:\Program Files (x86)\Sentry\SA\adluminupdater.exe" or "C:\Program Files\WinRAR" or "C:\Program Files\WinRAR\uninstall.exe" or "hpdiags://BatteryStatusTest" or hptpsmarthealthservice or icacls or taskkill or w32tm or *.BAT* or *.CMD* or *.bat* or *.cmd*)
 '''
 
 
-[[rule.filters]]
-
-[rule.filters.meta]
-negate = true
-[rule.filters.query.wildcard."process.command_line"]
-case_insensitive = true
-value = "*SysVol*WindowsDefenderATPOnboardingScript.cmd*"
-
-[[rule.filters]]
-
-[rule.filters.meta]
-negate = true
-[rule.filters.query.wildcard."process.command_line"]
-case_insensitive = true
-value = "\"cmd.exe\" /d /c C:\\\\???????\\\\system32\\\\hpatchmonTask.cmd"
-
-[[rule.filters]]
-
-[rule.filters.meta]
-negate = true
-[rule.filters.query.wildcard."process.command_line"]
-case_insensitive = true
-value = "\"C:\\\\???????\\\\system32\\\\cmd.exe\" /d /c C:\\\\???????\\\\system32\\\\hpatchmonTask.cmd"
-
-
-[[rule.filters]]
-
-[rule.filters.meta]
-negate = true
-[rule.filters.query.wildcard."process.args"]
-case_insensitive = true
-value = "?:\\\\Windows\\\\system32\\\\silcollector.cmd"
-[[rule.filters]]
-
-[rule.filters.meta]
-negate = true
-[rule.filters.query.wildcard."process.command_line"]
-case_insensitive = true
-value = "*?:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat*"
-[[rule.filters]]
-
-[rule.filters.meta]
-negate = true
-[rule.filters.query.wildcard."process.command_line"]
-case_insensitive = true
-value = "*?:\\\\Program Files*\\\\Pulseway\\\\watchdog.bat*"
-[[rule.filters]]
-
-[rule.filters.meta]
-negate = true
-[rule.filters.query.wildcard."process.command_line"]
-case_insensitive = true
-value = """
-cmd /C ".\\inetsrv\\iissetup.exe /keygen "
-"""
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"