Apply suggestions from code review

w0rk3r · Samirbous · web-flow · commit 25f23ef0810b · 2025-08-28T12:42:08.000-07:00
Co-authored-by: Samirbous &lt;64742097+Samirbous@users.noreply.github.com&gt;
diff --git a/rules/windows/persistence_ms_office_addins_file.toml b/rules/windows/persistence_ms_office_addins_file.toml
@@ -84,9 +84,9 @@ file where host.os.type == "windows" and event.type != "deletion" and
     "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*",
 
     /* Crowdstrike specific condition as it uses NT Object paths */
-    "\\Device\\HarddiskVolume?\\Users\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\*",
-    "\\Device\\HarddiskVolume?\\Users\\*\\AppData\\Roaming\\Microsoft\\AddIns\\*",
-    "\\Device\\HarddiskVolume?\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*"
+    "\\Device\\HarddiskVolume*\\Users\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\*",
+    "\\Device\\HarddiskVolume*\\Users\\*\\AppData\\Roaming\\Microsoft\\AddIns\\*",
+    "\\Device\\HarddiskVolume*\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*"
  )
 '''
 
diff --git a/rules/windows/persistence_ms_outlook_vba_template.toml b/rules/windows/persistence_ms_outlook_vba_template.toml
@@ -83,7 +83,7 @@ type = "eql"
 query = '''
 file where host.os.type == "windows" and event.type != "deletion" and
   file.name : "VbaProject.OTM" and
-  file.path : "*\\AppData\\Roaming\\Microsoft\\Outlook\\VbaProject.OTM"
+  file.path : ("?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Outlook\\VbaProject.OTM", "\\Device\\HarddiskVolume*\\Users\\*\\AppData\\Roaming\\Microsoft\\Outlook\\VbaProject.OTM")
 '''
 
 
diff --git a/rules/windows/persistence_powershell_profiles.toml b/rules/windows/persistence_powershell_profiles.toml
@@ -130,9 +130,12 @@ type = "eql"
 query = '''
 file where host.os.type == "windows" and event.type != "deletion" and
   file.name : ("profile.ps1", "Microsoft.Powershell_profile.ps1") and
-  file.path : ("*\\Documents\\WindowsPowerShell\\*",
-               "*\\Documents\\PowerShell\\*",
-               "*\\Windows\\System32\\WindowsPowerShell\\*")
+  file.path : ("?:\\Users\\*\\Documents\\WindowsPowerShell\\*.ps1", 
+                    "?:\\Users\\*\\Documents\\PowerShell\\*.ps1", 
+                    "?:\\Windows\\System32\\WindowsPowerShell\\*.ps1", 
+                    "\\Device\\HarddiskVolume*\\Users\\*\\Documents\\WindowsPowerShell\\*.ps1", 
+                    "\\Device\\HarddiskVolume*\\Users\\*\\Documents\\PowerShell\\*.ps1", 
+                    "\\Device\\HarddiskVolume*\\Windows\\System32\\WindowsPowerShell\\*.ps1")
 '''
 
 
