refactor: schtasks creation, based on parent proc

rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.yml

@@ -10,15 +10,16 @@ tags:
     - attack.t1053.005 
 author: Florian Roth
 date: 2022/02/21
-modified: 2022/02/22
+modified: 2022/03/09
 logsource:
     product: windows
     category: process_creation
 detection:
     selection:
-        Image|endswith: 'schtasks.exe'
-    selection_flag:
+        Image|endswith: '\schtasks.exe'
         CommandLine|contains: ' /create '
+    selection_parent:
+        ParentCommandLine|endswith: '\svchost.exe -k netsvcs -p -s Schedule'
     selection_folder:
         CommandLine|contains:
             - '%AppData%'
@@ -31,7 +32,8 @@ detection:
     filter_mixed:
         - CommandLine|contains: 'update_task.xml'
         - ParentCommandLine|contains: 'unattended.ini'
-    condition: selection and selection_flag and selection_folder and not 1 of filter*
+    condition: ( selection or selection_parent ) and selection_folder and not 1 of filter*
 falsepositives:
-    - Benign scheduled tasks creations that happen often during software installations
+    - Benign scheduled tasks creations or executions that happen often during software installations
+    - Software that uses the AppData folder and scheduled tasks to update the software in the AppData folders
 level: high