[Rule Tuning] Enumeration of Privileged Local Groups Membership (elas…

…tic#4016)

rules/windows/discovery_privileged_localgroup_membership.toml

@@ -4,7 +4,7 @@ integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "KQL handles backslash and ? characters differently in 8.12+."
 min_stack_version = "8.12.0"
-updated_date = "2024/08/07"
+updated_date = "2024/08/26"
 
 [transform]
 [[transform.osquery]]
@@ -115,13 +115,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest
 For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
 """
 severity = "medium"
-tags = ["Domain: Endpoint",
-        "OS: Windows",
-        "Use Case: Threat Detection",
-        "Tactic: Discovery",
-        "Resources: Investigation Guide",
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Discovery",
+    "Resources: Investigation Guide",
     "Data Source: System",
-        ]
+]
 timestamp_override = "event.ingested"
 type = "new_terms"
 
@@ -160,6 +161,7 @@ host.os.type:windows and event.category:iam and event.action:user-member-enumera
                                        C\:\\Windows\\System32\\RecoveryDrive.exe or
                                        C\:\\Windows\\System32\\SystemPropertiesComputerName.exe or
                                        C\:\\Windows\\SysWOW64\\msiexec.exe or
+                                       C\:\\Windows\\System32\\taskhostw.exe or
                                        C\:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe or
                                        C\:\\Windows\\Temp\\rubrik_vmware*\\snaptool.exe or
                                        C\:\\Windows\\VeeamVssSupport\\VeeamGuestHelper.exe or