[Rule Tuning] SMB Connections via LOLBin or Untrusted Process (#4444)

Author: w0rk3r

rules/windows/lateral_movement_direct_outbound_smb_connection.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/02/03"
+updated_date = "2025/02/04"
 
 [transform]
 [[transform.osquery]]
@@ -122,7 +122,7 @@ sequence by process.entity_id with maxspan=1m
   [process where host.os.type == "windows" and event.type == "start" and process.pid != 4 and
 
     /* ignore NT Authority and Network Service accounts */
-    not user.id : ("S-1-5-19", "S-1-5-20") and
+    not user.id in ("S-1-5-19", "S-1-5-20") and
 
     /* filter out anything trusted but not from Microsoft */
     /* LOLBins will be inherently trusted and signed, so ignore everything else trusted */
@@ -135,9 +135,6 @@ sequence by process.entity_id with maxspan=1m
 
   /* second sequence to capture network connections over port 445 related to SMB */
   [network where host.os.type == "windows" and destination.port == 445 and process.pid != 4]
-
-/* end the sequence when the process ends where joining was on process.entity_id */
-until [process where host.os.type == "windows" and event.type == "end"]
 '''