[Rule Tuning]  Windows Registry File Creation in SMB Share

### Link to Rule

https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_moving_registry_hive_via_smb.toml

### Rule Tuning Type

False Positives - Reducing benign events mistakenly identified as threats.

### Description

The rule excludes files with file.path: `"?:\\*\\UPM_Profile\\NTUSER.DAT.LASTGOOD.LOAD"`, but they most likely wanted to exclude `"?:\\*\\UPM_Profile\\NTUSER.DAT.LASTGOODLOAD"` (without the dot in GOODLOAD). 

The updated query would be the following:
```
query = '''
file where host.os.type == "windows" and event.type == "creation" and
 /* regf file header */
 file.Ext.header_bytes : "72656766*" and file.size >= 30000 and
 process.pid == 4 and user.id : ("S-1-5-21*", "S-1-12-1-*") and
 not file.path : (
    "?:\\*\\UPM_Profile\\NTUSER.DAT",
    "?:\\*\\UPM_Profile\\NTUSER.DAT.LASTGOODLOAD",
    "?:\\*\\UPM_Profile\\AppData\\Local\\Microsoft\\Windows\\UsrClass.dat*",
    "?:\\Windows\\Netwrix\\Temp\\????????.???.offreg",
    "?:\\*\\AppData\\Local\\Packages\\Microsoft.*\\Settings\\settings.dat*"
 )
'''
```


### Example Data

_No response_

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[Rule Tuning] Windows Registry File Creation in SMB Share #4722

Link to Rule

Rule Tuning Type

Description

Example Data

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[Rule Tuning] Windows Registry File Creation in SMB Share #4722

Description

Link to Rule

Rule Tuning Type

Description

Example Data

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions