[Rule Tuning] Untrusted Driver Loaded (#5061)

w0rk3r · tradebot-elastic · commit eb1dd5f679ea · 2025-09-05T13:14:00.000Z
* [Rule Tuning] Untrusted Driver Loaded * Update defense_evasion_untrusted_driver_loaded.toml (cherry picked from commit 4aa6c4e)
diff --git a/rules/windows/defense_evasion_untrusted_driver_loaded.toml b/rules/windows/defense_evasion_untrusted_driver_loaded.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/01/27"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/02/03"
+updated_date = "2025/09/04"
 
 [transform]
 [[transform.osquery]]
@@ -112,7 +112,7 @@ type = "eql"
 
 query = '''
 driver where host.os.type == "windows" and process.pid == 4 and
-  dll.code_signature.trusted != true and 
+  (dll.code_signature.trusted == false or dll.code_signature.exists == false) and
   not dll.code_signature.status : ("errorExpired", "errorRevoked", "errorCode_endpoint:*")
 '''
 
