From 6ce58d7201faa7e2ea2ed7b925eeff1097687875 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Mon, 21 Feb 2022 11:01:18 +0100
Subject: [PATCH] refactor: removed unnecessary regex

---
 ...s_creation_abusing_windows_telemetry_for_persistence.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/process_creation_abusing_windows_telemetry_for_persistence.yml b/rules/windows/process_creation/process_creation_abusing_windows_telemetry_for_persistence.yml
index eeb517332..a9af4e4d3 100644
--- a/rules/windows/process_creation/process_creation_abusing_windows_telemetry_for_persistence.yml
+++ b/rules/windows/process_creation/process_creation_abusing_windows_telemetry_for_persistence.yml
@@ -11,7 +11,7 @@ tags:
     - attack.t1053
 author: Sreeman
 date: 2020/09/29
-modified: 2021/09/09
+modified: 2022/02/21
 fields:
     - EventID
     - CommandLine
@@ -22,7 +22,9 @@ logsource:
     category: process_creation
 detection:
     selection:
-        CommandLine|re: '(?i).*schtasks.*(-|\/)r.*\\\\Application Experience\\\\Microsoft Compatibility Appraiser.*'
+        CommandLine|contains|all: 
+            - 'schtasks'
+            - '\Application Experience\Microsoft Compatibility Appraiser'
     condition: selection
 falsepositives:
     - none