Apply suggestions from code review

w0rk3r · Samirbous · web-flow · commit ed372eb760ba · 2025-08-28T06:11:17.000-07:00
Co-authored-by: Samirbous &lt;64742097+Samirbous@users.noreply.github.com&gt;
diff --git a/rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml b/rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml
@@ -78,12 +78,12 @@ file where host.os.type == "windows" and event.action != "deletion" and
   file.path : (
     "?:\\Windows\\System32\\CodeIntegrity\\*.p7b",
     "?:\\Windows\\System32\\CodeIntegrity\\CiPolicies\\Active\\*.cip",
-    "\\Device\\HarddiskVolume?\\Windows\\System32\\CodeIntegrity\\*.p7b",
-    "\\Device\\HarddiskVolume?\\Windows\\System32\\CodeIntegrity\\CiPolicies\\Active\\*.cip"
+    "\\Device\\HarddiskVolume*\\Windows\\System32\\CodeIntegrity\\*.p7b",
+    "\\Device\\HarddiskVolume*\\Windows\\System32\\CodeIntegrity\\CiPolicies\\Active\\*.cip"
   ) and
   not process.executable : (
     "C:\\Windows\\System32\\poqexec.exe",
-    "\\Device\\HarddiskVolume?\\Windows\\System32\\poqexec.exe"
+    "\\Device\\HarddiskVolume*\\Windows\\System32\\poqexec.exe"
   )
 '''
 
