From 187ce70e4e397574a94bc06e685b976c3bef50cd Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Wed, 9 Mar 2022 08:49:23 +0100
Subject: [PATCH] refactor: schtasks creation, based on parent proc

---
 .../proc_creation_win_susp_schtasks_env_folder.yml   | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.yml
index 67e3c21ee..eae041a6a 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.yml
@@ -10,15 +10,16 @@ tags:
     - attack.t1053.005 
 author: Florian Roth
 date: 2022/02/21
-modified: 2022/02/22
+modified: 2022/03/09
 logsource:
     product: windows
     category: process_creation
 detection:
     selection:
-        Image|endswith: 'schtasks.exe'
-    selection_flag:
+        Image|endswith: '\schtasks.exe'
         CommandLine|contains: ' /create '
+    selection_parent:
+        ParentCommandLine|endswith: '\svchost.exe -k netsvcs -p -s Schedule'
     selection_folder:
         CommandLine|contains:
             - '%AppData%'
@@ -31,7 +32,8 @@ detection:
     filter_mixed:
         - CommandLine|contains: 'update_task.xml'
         - ParentCommandLine|contains: 'unattended.ini'
-    condition: selection and selection_flag and selection_folder and not 1 of filter*
+    condition: ( selection or selection_parent ) and selection_folder and not 1 of filter*
 falsepositives:
-    - Benign scheduled tasks creations that happen often during software installations
+    - Benign scheduled tasks creations or executions that happen often during software installations
+    - Software that uses the AppData folder and scheduled tasks to update the software in the AppData folders
 level: high