[Rule Tuning] Remote Execution via File Shares (elastic#4448)

Author: w0rk3r

rules/windows/lateral_movement_execution_via_file_shares_sequence.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/11/03"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/02/03"
+updated_date = "2025/02/05"
 
 [transform]
 [[transform.osquery]]
@@ -116,7 +116,8 @@ sequence with maxspan=1m
  /* Veeam related processes */
  (
  process.name : (
- "VeeamGuestHelper.exe", "VeeamGuestIndexer.exe", "VeeamAgent.exe", "VeeamLogShipper.exe", "Veeam.VSS.Sharepoint20??.exe"
+ "VeeamGuestHelper.exe", "VeeamGuestIndexer.exe", "VeeamAgent.exe", "VeeamLogShipper.exe",
+ "Veeam.VSS.Sharepoint20??.exe", "OracleProxy.exe", "Veeam.SQL.Service", "VeeamDeploymentSvc.exe"
  ) and process.code_signature.trusted == true and process.code_signature.subject_name : "Veeam Software Group GmbH"
  ) or
  /* PDQ related processes */
@@ -128,7 +129,7 @@ sequence with maxspan=1m
  ) or
  /* CrowdStrike related processes */
  (
- (process.executable : "?:\\Windows\\System32\\drivers\\CrowdStrike\\*-WindowsSensor.*.exe" and 
+ (process.executable : "?:\\Windows\\System32\\drivers\\CrowdStrike\\*Sensor*.exe" and 
  process.code_signature.trusted == true and process.code_signature.subject_name : "CrowdStrike, Inc.") or
  (process.executable : "?:\\Windows\\System32\\drivers\\CrowdStrike\\*-CsInstallerService.exe" and 
  process.code_signature.trusted == true and process.code_signature.subject_name : "Microsoft Windows Hardware Compatibility Publisher")