From de68bf5559d481004b76b3b08117c92a1c61dd22 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Thu, 8 Sep 2022 09:00:58 +0200
Subject: [PATCH] fix: schtasks in suspicious parents rule

---
 .../process_creation/proc_creation_win_susp_parents.yml       | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_susp_parents.yml b/rules/windows/process_creation/proc_creation_win_susp_parents.yml
index 295a050e0..f9708c99e 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_parents.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_parents.yml
@@ -7,7 +7,7 @@ references:
    - https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b
 author: Florian Roth
 date: 2022/03/21
-modified: 2022/07/08
+modified: 2022/09/08
 logsource:
    category: process_creation
    product: windows
@@ -21,7 +21,7 @@ detection:
       ParentImage|endswith:
          - '\csrss.exe'
          - '\certutil.exe'
-         - '\schtasks.exe'
+         # - '\schtasks.exe'
          - '\eventvwr.exe'
          - '\calc.exe'
          - '\notepad.exe'