[Rule Tuning] Suspicious Execution via Scheduled Task (#4599)

w0rk3r · web-flow · commit a5d9d6400a78 · 2025-04-07T22:59:08.000+05:30
diff --git a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/11/19"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/04/07"
 
 [rule]
 author = ["Elastic"]
@@ -101,10 +101,17 @@ process where host.os.type == "windows" and event.type == "start" and
        "C:\\Windows\\Debug\\*",
        "C:\\HP\\*") and
 
-     not (process.name : "cmd.exe" and process.args : "?:\\*.bat" and process.working_directory : "?:\\Windows\\System32\\") and
-     not (process.name : "cscript.exe" and process.args : "?:\\Windows\\system32\\calluxxprovider.vbs") and
-     not (process.name : "powershell.exe" and process.args : ("-File", "-PSConsoleFile") and user.id : "S-1-5-18") and
-     not (process.name : "msiexec.exe" and user.id : "S-1-5-18")
+    not (process.name : "cmd.exe" and process.args : "?:\\*.bat" and process.working_directory : "?:\\Windows\\System32\\") and
+    not (process.name : "cscript.exe" and process.args : "?:\\Windows\\system32\\calluxxprovider.vbs") and
+    not (
+       process.name : "powershell.exe" and
+       process.args : (
+           "-File", "-PSConsoleFile",
+           "C:\\ProgramData\\Microsoft\\AutopatchSetupScheduled\\SetupAutopatchClientV2Package.ps1",
+           "C:\\ProgramData\\Microsoft\\AutopatchSetupScheduled\\SetupAutopatchClientPackage.ps1"                
+       ) and user.id : "S-1-5-18"
+    ) and
+    not (process.name : "msiexec.exe" and user.id : "S-1-5-18")
 '''
 
 
