[Rule Tuning] Script Execution via Microsoft HTML Application (#4950)

w0rk3r · web-flow · commit 3de9456197a9 · 2025-08-01T07:55:14.000-03:00
diff --git a/rules/windows/defense_evasion_script_via_html_app.toml b/rules/windows/defense_evasion_script_via_html_app.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/09/09"
 integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/07/21"
 
 [rule]
 author = ["Elastic"]
@@ -100,7 +100,7 @@ process where host.os.type == "windows" and event.type == "start" and
      ) or
 
     (process.name : "mshta.exe" and
-     not process.command_line : ("*.hta*", "*.htm*", "-Embedding") and process.args_count >=2) or
+     not process.command_line : ("*.hta*", "*.htm*", "-Embedding") and ?process.args_count >=2) or
 
      /* Execution of HTA file downloaded from the internet */
      (process.name : "mshta.exe" and process.command_line : "*\\Users\\*\\Downloads\\*.hta*") or
