From 797bcaebfeecfa154c5b912b3cd1d7ba159da505 Mon Sep 17 00:00:00 2001
From: Swachchhanda Shrawan Poudel
 <87493836+swachchhanda000@users.noreply.github.com>
Date: Tue, 28 Apr 2026 07:45:16 +0545
Subject: [PATCH] Merge PR #5900 from @swachchhanda000 - Update Important
 scheduled task manipulation related rules

update: Important Scheduled Task Deleted or Disabled - Add EventID 142.
update: Disable Important Scheduled Task - Add OFN and remove unecessary string binding for increased coverage.
update: Delete Important Scheduled Task - Add OFN and remove unecessary string binding for increased coverage.
new: System Restore Registry Modification via CommandLine
chore: add regression tests for Important scheduled task manipulation rules

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
---
 .../7595ba94-cf3b-4471-aa03-4f6baa9e5fad.evtx | Bin 0 -> 69632 bytes
 .../7595ba94-cf3b-4471-aa03-4f6baa9e5fad.json |  54 ++++
 .../info.yml                                  |  13 +
 .../9e3cb244-bdb8-4632-8c90-6079c8f4f16d.evtx | Bin 0 -> 69632 bytes
 .../9e3cb244-bdb8-4632-8c90-6079c8f4f16d.json |  48 ++++
 .../info.yml                                  |  13 +
 .../7c06ab9b-b1d2-4ba9-b06e-09491ded20d9.evtx | Bin 0 -> 69632 bytes
 .../7c06ab9b-b1d2-4ba9-b06e-09491ded20d9.json | 264 ++++++++++++++++++
 .../info.yml                                  |  13 +
 .../dbc1f800-0fe0-4bc0-9c66-292c2abe3f78.evtx | Bin 0 -> 69632 bytes
 .../dbc1f800-0fe0-4bc0-9c66-292c2abe3f78.json |  66 +++++
 .../info.yml                                  |  13 +
 .../9ac94dc8-9042-493c-ba45-3b5e7c86b980.evtx | Bin 0 -> 69632 bytes
 .../9ac94dc8-9042-493c-ba45-3b5e7c86b980.json |  66 +++++
 .../info.yml                                  |  13 +
 .../5de03871-5d46-4539-a82d-3aa992a69a83.evtx | Bin 0 -> 69632 bytes
 .../5de03871-5d46-4539-a82d-3aa992a69a83.json | 208 ++++++++++++++
 .../info.yml                                  |  13 +
 ..._susp_scheduled_task_delete_or_disable.yml |  10 +-
 ...duler_susp_schtasks_delete_or_disable.yml} |  22 +-
 ...on_win_reg_system_restore_modification.yml |  51 ++++
 .../proc_creation_win_schtasks_delete.yml     |  15 +-
 .../proc_creation_win_schtasks_disable.yml    |  24 +-
 .../registry_set_disable_system_restore.yml   |   9 +
 24 files changed, 893 insertions(+), 22 deletions(-)
 create mode 100644 regression_data/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable/7595ba94-cf3b-4471-aa03-4f6baa9e5fad.evtx
 create mode 100644 regression_data/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable/7595ba94-cf3b-4471-aa03-4f6baa9e5fad.json
 create mode 100644 regression_data/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable/info.yml
 create mode 100644 regression_data/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete_or_disable/9e3cb244-bdb8-4632-8c90-6079c8f4f16d.evtx
 create mode 100644 regression_data/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete_or_disable/9e3cb244-bdb8-4632-8c90-6079c8f4f16d.json
 create mode 100644 regression_data/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete_or_disable/info.yml
 create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_reg_system_restore_modification/7c06ab9b-b1d2-4ba9-b06e-09491ded20d9.evtx
 create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_reg_system_restore_modification/7c06ab9b-b1d2-4ba9-b06e-09491ded20d9.json
 create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_reg_system_restore_modification/info.yml
 create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_schtasks_delete/dbc1f800-0fe0-4bc0-9c66-292c2abe3f78.evtx
 create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_schtasks_delete/dbc1f800-0fe0-4bc0-9c66-292c2abe3f78.json
 create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_schtasks_delete/info.yml
 create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_schtasks_disable/9ac94dc8-9042-493c-ba45-3b5e7c86b980.evtx
 create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_schtasks_disable/9ac94dc8-9042-493c-ba45-3b5e7c86b980.json
 create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_schtasks_disable/info.yml
 create mode 100644 regression_data/rules/windows/registry/registry_set/registry_set_disable_system_restore/5de03871-5d46-4539-a82d-3aa992a69a83.evtx
 create mode 100644 regression_data/rules/windows/registry/registry_set/registry_set_disable_system_restore/5de03871-5d46-4539-a82d-3aa992a69a83.json
 create mode 100644 regression_data/rules/windows/registry/registry_set/registry_set_disable_system_restore/info.yml
 rename rules/windows/builtin/taskscheduler/{win_taskscheduler_susp_schtasks_delete.yml => win_taskscheduler_susp_schtasks_delete_or_disable.yml} (61%)
 create mode 100644 rules/windows/process_creation/proc_creation_win_reg_system_restore_modification.yml

diff --git a/regression_data/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable/7595ba94-cf3b-4471-aa03-4f6baa9e5fad.evtx b/regression_data/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable/7595ba94-cf3b-4471-aa03-4f6baa9e5fad.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..5c5ad4920aa1f419a02232b44dfd7fa0fb13aaaf
GIT binary patch
literal 69632
zcmeI0TWlOx8OOi9db76IF^Nk-Y3fF#BrT3}X;52l930!5SdCNTOVdi>!S(u<ti6>l
zO-gu(pcR*g3M4>CeE}o{5fu^=NGRd~303M-kx(U2KuCQ-tyCcbs%XW7`Tx(E@y=|#
zj@{%5{l^;b%$)Ch=R3dea?Z?PWu`P=nYQ{P89ca#-=w9?b|&gY?)tv(qyP5awGt^1
z0TB=Z5fA|p5CIVo0TB=Z5fA|pxFdnV%1r;<;w1~;?i>AHqb7V5nENEo`M*DZN5yv#
z;5aSCLhSwjfvnm4O=kbjn7x~hE7+YgJAuy-+dba8L!WPAOdbzlOdkIU<X;b-^Vw^7
zHdANMN!))Jd?fjF-53jjF7~}1Tn|IG1f4hP^ibyG91jO$Z>8@WVA|+-<PrF@!`A&j
z^v4f-@B8In6K#ovwIu%5^N*i}Bk}scd#{b|d*{z@U%TG^({E!Yl<I4@mvPAn^0?8G
zu|a#$rftzyaQ}6j*^5ErZ`(3<#TKlB#$_~Q631;0Vk`E7J!#$eTec}YnTE_Ht`FgN
z9#596io2@KK=Kgot9agRm(jL}-=lUIe~;nnusx3d)9b@8$L^AewY9h5tI%)N@vM#6
zOVGUHMnr)3t*t!=yF!oNx|*{QH~Nbhs|=|nw0<6EDGbJ^zL&OhFm?frW`%+!vd;$b
zaIhn7r)|~sL{po!rTS7f46!c<5+6)9MPLot0NOr_Gs}>pnu9m<_C=_e1hRQdf8Lou
zbcM8KlZBLJ(}`x=hX-M#-@l{Do(aU}L240g$wITG)5y8KxCukN{8q-!LXf_yI3c4@
z()QqHPY|brSJO7`d~wN%BspNhI&s4k;PH#SS$i4|q+5uH!zHLGW1qoIm^l~!kh7=I
z{1W_D1;;YDQ#4~8X<#40&36KgJ+C%n(0RwSAEMJRfG#RS#^GTWF{X-F^Dz&Goq#86
z?Wsf_(Ne1=rBrK#_9zt6WLo0MCkuJY)0S7zDJ%#-{#Ud0J2Bc(ah8NwFF>wT3Nk!@
zD{p<!xB|l&Ei0I**IQ_^wk(SR-G2OycH_`q6X(>RQ!B$|ZEXQ#ghk{xzutifTyci4
zx`DiV&(IEd(`ZZnPdkE`or2&p{sJp<mdmoV(zUNVkptnmfNcn%u)}hx#7-AZEXF*(
zh7j$C<Rk)V(b-L>?X*NXv9?x(0IM1u*Rz;&pcW7cG|uNrGLvY53765IiOtjND&q-R
zpMr|82><X<4(_B|R$-Y(X!al^vSB@*Ih(Z!D5UmaUM;pOl`gc~Luva2L=k%KM5JQD
z^0UZUhvlr@c3K-+bMDMp-pQehJ4(1?JEmsW+aAKR^wBR-A&$;#VO@N5@93)!e<fw9
z2l@M##5i2~CeCqY5RSw!?2Z?#E<2BBi|}+69G0!?wmEho23FC|8B=oB_J9B7@hjus
z9s0?Q-k#Kf-?!FN@#Xm&*MIauSloI2^Un95>G|l*-o3X@{PTB64@$vHzrrQgRUQLh
zWeA1kdBBD9B%ZVK4dR#UEF<Y#)ikOR(~hnCab{WZGKm7LU$y7$qVv<rx--ULdD)V!
zX1nOt<AE-huD)kmgPvjaOt!*W_I)Dg`)F;{_PV|UV96zdv}*m6zW=eH|0Y(SMgLix
ziwGiGo$^J9){?-dY9ljGxD;KAjDrB9on3*n3s65t)-5m1n!y#&uY<|fjPKJI^r4Lb
z(GH{ytGk!<%T1WNW6l9f`0q<+vNh{V)P{T;>+!Q}vRp&ojKFSIINBVy!S_Y=VBZbx
zA9dBg9~vt7i&{a>Q|`IX=42~M4E2y1Nw?QHq^*RtZUCH<tw_yu+M3b0$9B0yy&q}G
zG-jIKZ02=-J(Zc#Y{!bjBZK{noqTNK2R*OfJpIm@``&#Ik$VM}FvI2$N#~Jo{dUHk
zXK;NEqxRX^-4MfZ0ZVj!4qvFt;S11G+c>bEa}&YEWE%a)P~nSqGT7>Lx^!EDgkLvK
zpuQf#!gLtFosPI)Ieq4{bplaTLY+8*t;Rm+>9tnOwzwW!osmrx<?nV26;`JBR_Z7=
zPuza3;Fo29Ij}FVr4yDH-8wc43C?{960BZ6rxvkSsYYbIe0>!gaNJle=Mh1kUoU*|
zq#b}idhmBT`0WAH=j`AH&rd<3_Phj}O7^Vl+k@TB7}|=ke`_O?GA#|Qt-5uHx!8-X
z%mMoX3gL3Z@7$JFVfTLcJo@|?wxoQrgg?*b5MqzH@i};vt%uj`ijEN<pKHPje9Nf1
z*W(`v#*dE?AHUu^-naMKlB0nojYf;xGy(q(fyTYb&~9X!*B6e$SYbAAEvk#IQZjF+
zTm-ZJE#DUPtfq09PTZG`nOm!m(RvcivRXXWwmoHxG3M$+mmPP%kGm+3ON4Xs(cHa(
zt-h`_Zja8T=yHg!YQ9cI+q{MWv@8c}0CzgIwQC5~;Av1g<!XfA8gjj(4pxp;T$B9A
z(-5C0N3EioaLm)V^42yQea6|#?WC^~+vyu0cM$WN#J;EkUGz^}bA4;P?=T2d9N8CK
z{~_pN-Qb?v?*v9L6YdeFP<?taw^_9K)#e<=yX>sru9mnBHE*3q&EY<v59=0pSbS6Q
z^NM?GYdzwljAEvXE*2{8^=QWJzsM}Edo#JXM($47pB27wbovMlV}sEU_M>O$uV@@@
zCKnyuYYkU_?w?lN+(O;;QLve0R4-#O)Uo-zioyPS0<#Fe50t^ee?%#}xbhjmd9teU
z9WFjwUp2O?A#U%mi<EG`8^-PCwtIRbu!r@LyR%-@sAH%CoPYdzbhNPA@T&lQAI{15
z9mlR|IH)G|61QvN+w>H4tRmm|+Fs9QqxPs4TDsl2`%2R&TDi+3k6HYY%rbT(-5?W=
zT0~y@j||*tv9<Q5aRu?W^;M;~{w<-Vooqc{YF%*eSUx}Yqsovp_s~n5?0CYRB0t_u
zgRZZv_1ePO)W++B)>-(0-_aOHTpOa_I+)?nsAiQNLzIkQ{@iufcAw<Ck+$fVlnJ%h
zX777O>H0Q458vy0t;n}Sym5^0#;gAcUK_04_zQ<?<o8t_A|L`HAOa#F0wN#+A|L`H
zAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F
z0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+
zA|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`H
zAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F
z0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+
zA|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`H
XAOa#F0wN#+A|L`HAOa%r|3u(_vtoYu

literal 0
HcmV?d00001

diff --git a/regression_data/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable/7595ba94-cf3b-4471-aa03-4f6baa9e5fad.json b/regression_data/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable/7595ba94-cf3b-4471-aa03-4f6baa9e5fad.json
new file mode 100644
index 000000000..f79f8ef2e
--- /dev/null
+++ b/regression_data/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable/7595ba94-cf3b-4471-aa03-4f6baa9e5fad.json
@@ -0,0 +1,54 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Security-Auditing",
+          "Guid": "54849625-5478-4994-A5BA-3E3B0328C30D"
+        }
+      },
+      "EventID": 4701,
+      "Version": 1,
+      "Level": 0,
+      "Task": 12804,
+      "Opcode": 0,
+      "Keywords": "0x8020000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-03-11T05:16:41.816327Z"
+        }
+      },
+      "EventRecordID": 27732,
+      "Correlation": {
+        "#attributes": {
+          "ActivityID": "8E521E2B-7C26-0003-031F-528E267CDB01"
+        }
+      },
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 852,
+          "ThreadID": 968
+        }
+      },
+      "Channel": "Security",
+      "Computer": "swachchhanda",
+      "Security": null
+    },
+    "EventData": {
+      "SubjectUserSid": "S-1-5-21-2555720767-1205513275-3893774561-1001",
+      "SubjectUserName": "xodih",
+      "SubjectDomainName": "SWACHCHHANDA",
+      "SubjectLogonId": "0x3144c",
+      "TaskName": "\\Microsoft\\Windows\\SystemRestore\\SR",
+      "TaskContent": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo>\r\n    <SecurityDescriptor>D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;FRFX;;;LS)</SecurityDescriptor>\r\n    <Source>$(@%systemroot%\\system32\\srrstr.dll,-320)</Source>\r\n    <Author>$(@%systemroot%\\system32\\srrstr.dll,-321)</Author>\r\n    <Description>$(@%systemroot%\\system32\\srrstr.dll,-322)</Description>\r\n    <URI>Microsoft\\Windows\\SystemRestore\\SR</URI>\r\n  </RegistrationInfo>\r\n  <Principals>\r\n    <Principal id=\"LocalSystem\">\r\n      <UserId>S-1-5-18</UserId>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <Enabled>false</Enabled>\r\n    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>\r\n    <StartWhenAvailable>true</StartWhenAvailable>\r\n    <RunOnlyIfIdle>true</RunOnlyIfIdle>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>true</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>\r\n    <MaintenanceSettings>\r\n      <Period>P3D</Period>\r\n      <Deadline>P3DT1M</Deadline>\r\n      <Exclusive>true</Exclusive>\r\n    </MaintenanceSettings>\r\n  </Settings>\r\n  <Triggers />\r\n  <Actions Context=\"LocalSystem\">\r\n    <Exec>\r\n      <Command>%windir%\\system32\\srtasks.exe</Command>\r\n      <Arguments>ExecuteScheduledSPPCreation</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task>",
+      "ClientProcessStartKey": 2251799813691708,
+      "ClientProcessId": 5204,
+      "ParentProcessId": 15816,
+      "RpcCallClientLocality": 0,
+      "FQDN": "swachchhanda"
+    }
+  }
+}
diff --git a/regression_data/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable/info.yml b/regression_data/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable/info.yml
new file mode 100644
index 000000000..d1b5c5373
--- /dev/null
+++ b/regression_data/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable/info.yml
@@ -0,0 +1,13 @@
+id: fbeed033-1556-49ae-881d-1e12e8aceb49
+description: N/A
+date: 2026-03-11
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad
+      title: Important Scheduled Task Deleted/Disabled
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable/7595ba94-cf3b-4471-aa03-4f6baa9e5fad.evtx
diff --git a/regression_data/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete_or_disable/9e3cb244-bdb8-4632-8c90-6079c8f4f16d.evtx b/regression_data/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete_or_disable/9e3cb244-bdb8-4632-8c90-6079c8f4f16d.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..ed7d4507f8e062d4abfaea5bf8ad2306a0a85bd4
GIT binary patch
literal 69632
zcmeI$S!i5U90u_Jow+laOlBrajZ3UGZEdwmTeWUAwHlL*ji!r9+%P`GX41xHDVe0E
zRxr3A3Kj(w#g`%#6-4kskf0ALq7R}Vf}%zAL0ldL6>)nQzwg|8JDD-H)%f_`aA)pv
zw);Eh{LjsFjSlBWMhjNG#lj1-_>NiJtih{Jvgq^n-~Zga=t5M01SB8<2}nQ!5|Drd
zBp?9^NI(L|73dlr?$|xP$D;r4kM%vvlJKLzRkda{Uv_Wh>0&n4bI;0;TIQE=M$&9`
z%IxQa*|+}uJ7z^(zXCr){M+q=<K%e=b#glcb#nVPO#f1No!6ehwc)DvT#57F!XHUm
zs_GaE%VORa!{e<;n@5>*Rpl_vf7w<?KhXS#%%z%grgP6lpW-~~_b2Cm+kEmXN4$E^
zvyAse+Yc{9HSzeI@1E&h@ztjv&%W6B{G)ghrfP4r`*Fwz<TjT{SeNayf{oi0&L6~{
zyd%8%dVRuXY|KV+vxplB?_%4HWK*`+F1PjgE80$6DIm=tj@RLP1Xm_)0%sF8jFjte
zK7s4&?M~bq$M=PHKK?Gk(fM{6J_|>yFIJqzyi)07^i|Yv6a7i+v;8P}%GHPg-d-x*
zf_6nc`s0C=?Qpg4LtR5iHHo{IV9!T`@wz8`+lI!D;ig$GXI}E=a6GJO_U#&*b~$mY
z-s<D+apTmvD@^grV9h+NZtKLov#}>R<XFs_&(d~1iWmgh2p)gLHGy<F-;%Lh+>*Xm
zXDe_a8tJFj*4T|<vJps)<6bORXTFa<UWSush!1^`upT62UyZs%#zZk&ij$?`IPE&%
zTfggzJuXR%6?)c+6HWncFE2~lc61=Sg+#2*V@U}+3n$Ucx#Po>U5DHI(QgxQ9D+NO
zCal>9`wpBu7M9p{unv`uIMWU!EuaDHq9LSlJe)-wQ=1N?D|#@>1fHZd#=SH~OF5S0
z<Jo!Iy(o}PW=jJ3ST1d8w&ek2iUPv3Kh;@>OU8DLx|T$&14x(8hci6=W7^tL;uIRr
z(K3Z64a&{cSbdT~f!%)bJB`MwgOd16$H<iBa4D6>P)8I*UVF6`4>02zKJ6+Bx_1lP
zf!;K>CH+ZlIA(VuVG(~}D^iw9GPJU5AJ~|J@b1ty0?5@`D(*G7;lyCf?LG|A4x}8!
zKpJ=LW~Vin=X<5nCL~}~W5>0PrySH6h5{QG%#~Qe%b*E&B0ncK_n@pHT%q;VC?X2N
zht{Rgo$Qurv@9SrI}<6AQ9K^*N!kr4kfn#um9ZspKi6o>eQQEe3_Z7Fq+-Deo+4$<
zma<0N#Sq64_mrhwI%Id(H{-0q>M?gb%X`a_<{<vUZ8nOF?;}=j!mrl3=nf_Ww*;%+
ziZ)jUtF?9$u8pIYCty&twMQpYpR-{9Ph%|balSw6z!&coYp;Fkwp%|t^2ej6EUvWm
zZcegX&YfVyGKvI&ed_7&jzr4<kNx-~H+FqJlSv=C>#aBOBrdR*O0VLOD>ApvdpY=`
zz~1SK9mMtJ*prNg?CB^}bfU&0lHBf|ZO8@IjY!C4oCEdY2_M0ZEn^X<m5bo8WaQs-
zG^ob1=u?gq&V1&tNF9xZC<Mo{9#Z>!Rk1vJGJ}0!fsPrd>X?CwIKm0aRe{l=fc$-!
zvXv`^#j-xv%~ELtYHC8WR+S$jhsGDs-@(!mO~Y~%6Tt(ug*n%jb2j1eC-CrGJ-eLU
zKBpA)Uq3?1UfhdilR*h<!V*p|m+<$=5B+S7HIR@sv8`@O1$`Dow=u+8&hR0u2pq4h
zBNfzfL6~P{xsI&sq)FR_bW=yCV;^#|u3B5dx)yX{=T_${yI?{x=cQqde7bOCHB{8t
z2_v?bEiLD+JHht$Aonip;|L&ZZzfoPI6P@{Ub)sr^dQ?CyvrP`H?u*#3qJ4GP?aN{
zgK0l}IV%|dW7!;}e1sgsFkOOW*Rzwb2f?b@uEH^1C*1iYzN0iP;kB#7Yx5&eABJ^1
z!tfTiZ^7|4%(Hg45Z{D|(2FJb8hma?uW`lw2J@C%PpkVvuFEmpD`QsW)YyR6tpQAq
zeJ+0SwT!Q11-B}360EWdY@=;(FG-zY=~1cOt~J|HexI9E<yWtNDzz0+bC0#6ZNXa>
zBO0$2@tKEdaFy%Eqzg}cMT<-r+I#S{9WdxY`aaC6UWE8=T<OBSZ5UUrxOW4-w>Y0}
z9NmIDUstt#eiUC=B&eS&0E0)_By39qIusjTZD;Dt_}={`g47FRyolgAxANZ8{`TIz
z(0azm7OiIuIIdpLSQ<A*Kdxt3s_k8GIWJwbqsikpw$|CG#`Bi-9$bBQ+~Q~Q`*ROV
zx%n%~EsLGVI#j)CuZ8I}W*66R%I&gMPu|}@)Bkw)b90;9;^(}bt<I70S`NRFeH$V5
zMCQX@JQU|cu+#^0<o}!xOW6o)(a1f1?=OBn6cHVwe??AYKJa~FFleSeB_II_NI(J-
zkbndvAOQ(TKmrnwfCMBU0SQPz0uqpb1SB8<2}nQ!5|DrdBp?9^NI(J-kbndvAOQ(T
zKmrnwfCMBU0SQPz0uqpb1SB8<2}nQ!5|DrdBp?9^NI(J-kbndvAOQ(TKmrnwfCMBU
z0SQPz0uqpb1SB8<2}nQ!5|DrdBp?9^NI(J-kbndvAOQ(TKmrnwfCMBU0SQPz0uqpb
z1SB8<2}nQ!5|DrdBp?9^NI(J-kbndvAOQ(TKmrnwfCMBU0SQPz0uqpb1SB8<2}nQ!
z5|DrdBp?9^NI(J-kbndvAOQ(TKmrnwfCMBU0SQPz0uqpb1SB8<2}nQ!5|DrdBp?9^
zNI(J-kbndvAOQ(TKmrnwfCMBU0SQPz0uqpb1SB8<2}nQ!5|DrdBp?9^NI(J-kbndv
zAOQ(TKmz|P;CYs@CFYyw_LMc-ERK1tU^{KvCT+x~Y`<l^mcwsk<BewRr4q|*O7ZhA
DhTtzk

literal 0
HcmV?d00001

diff --git a/regression_data/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete_or_disable/9e3cb244-bdb8-4632-8c90-6079c8f4f16d.json b/regression_data/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete_or_disable/9e3cb244-bdb8-4632-8c90-6079c8f4f16d.json
new file mode 100644
index 000000000..483ac2304
--- /dev/null
+++ b/regression_data/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete_or_disable/9e3cb244-bdb8-4632-8c90-6079c8f4f16d.json
@@ -0,0 +1,48 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-TaskScheduler",
+          "Guid": "DE7B24EA-73C8-4A09-985D-5BDADCFA9017"
+        }
+      },
+      "EventID": 142,
+      "Version": 0,
+      "Level": 4,
+      "Task": 142,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-03-11T05:16:41.815720Z"
+        }
+      },
+      "EventRecordID": 14,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 1996,
+          "ThreadID": 15932
+        }
+      },
+      "Channel": "Microsoft-Windows-TaskScheduler/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "#attributes": {
+        "Name": "TaskDisabled"
+      },
+      "TaskName": "\\Microsoft\\Windows\\SystemRestore\\SR",
+      "UserName": "System"
+    }
+  }
+}
diff --git a/regression_data/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete_or_disable/info.yml b/regression_data/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete_or_disable/info.yml
new file mode 100644
index 000000000..0df6c4bff
--- /dev/null
+++ b/regression_data/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete_or_disable/info.yml
@@ -0,0 +1,13 @@
+id: 89bcf8d7-2f92-4ae4-9492-bba11f26dd10
+description: N/A
+date: 2026-03-11
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d
+      title: Important Scheduled Task Deleted or Disabled
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete_or_disable/9e3cb244-bdb8-4632-8c90-6079c8f4f16d.evtx
diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_reg_system_restore_modification/7c06ab9b-b1d2-4ba9-b06e-09491ded20d9.evtx b/regression_data/rules/windows/process_creation/proc_creation_win_reg_system_restore_modification/7c06ab9b-b1d2-4ba9-b06e-09491ded20d9.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..c6c931d839c5982fcbd67890e34dafad1c2b92c5
GIT binary patch
literal 69632
zcmeI2YiwLc701uL-d(TP-nHGvKuZ&x2atruiQjh82>G>58oLB1B|)+jnfMX6_Bx84
zG$9g-pcS+qcu1hO1c{0-kbolc0ja7YAt6=e0|Wt;D6bF%A3#D#1yvvwF#rF|z22-J
zi9=(xRR3$;y?18L%$)hnnR8}t(l<GlpO_rAg;z4lIEQCwWo9+OLXkI}{?Xu>hu?G~
zYCr@;Km<fU1VlgtL_h>YKm<fU1VrGL1o|e&dX5zyv-otMh-xfMpF{q4*P6Ys(d_R(
z&42Bd4c|h5?O%Q9!qAOkYg1;KG}_0<hd;%NL;_97-;K`@w|iZ^MV+V6C$F{92akV5
z^52Q_S#}<IV+-{8Fw*}FS!#Cgf<C6=k0&U*5WNpTHjg%6T+ohdV1++_C@%_rAnLoA
z^S`}q-D>uHwaw4}#U~EGanI%71l2)cRl&7gfBjb66W=%g`TXF9-@p3GxeK-5{31p|
zsjgak0<Rn(uNSM5)@P?|)Cx9>^k;FW9*qjGR447UP1z(0XHbv~TJ0FbX6?A`wC(tt
zv7^Wth0HMC8}OV!&Iy}FYTCvi*?{yk^0(XLC@bLEWIOQJg0~&kf#1>j?q^C;VK6uM
z3g#-Fx9Ni^J78zf@~rC-U%I;H<~|O+;u(GIY})p_-cO;g5lEdtX&df*Y>fN9lCX!N
z>=X*kaybi9ha-E~QkSp??WC)TqH3!y>ngJWh<!4WczwA123UKo7iAyBoubLHnJvG{
z*hkUCFpy1P_!CYAqRS;L73Rt;l?W<r12SSue@{iZeJm220I34X!d#^#5?FKVkcdru
z<Z9CTA;`I!bV5d<(C$OxzQ|7d&L-@jn~TSsNXQNYt4D%MfY+sUDf<W}kkdj$>@HwS
zN!x@(ymB7>N!s?I_zdQ48XQN!ouWyrO91<RB)$~2xa;$k=ybv{?Sbeh6yOw%K*r(W
zDxyt2a5hsigK;I`Nm*@Kkb$)neM!D7djsu3G)R@Hi6<ZCGM1q(Poh%n5WexZO6zfA
z)ML_V5@V(J%IBjMo_Q@}U1)I@iql$VF;d@duH33qbPAmI)|YCHUHg_ere!K+X)bef
zQ|KdhA}@Te0s}bh6hG-Y^3%JAdSEt<x@3M)5!vif2+rUy(jsl?6kRK)_Q}pP2p@~s
z#sG2^mM#lwoH@}M^ZE=-v<H&IFr<Rho0C>!K_Zx&djJCTYMi)Tg|q`T1yi7MeyxPb
zpb9EHj{02KynS0E$RX=)G!Z-D=Nr<PPEN~7Xyy@`y$=$p*dLGer|c0l$kwBARoUHT
ziCnF%PuN`$h3UB)mWnUeeiUh|v$WNs6ef;0-f7D?IaGJ~JCLfeYTJY7OBL%~D{&OG
zbFp9iT$R}sH2T}8T_t!hFOy`~1JJqDS#7gJ$SYu$r@>&xwngSTg>=D=bR0jl^#|8`
zzTcmEec}sm{PK3|Z+GjCD7ZenRnk*<=l!X@vmJ5B;CtoKT}Oh4o_hJ;k6c`H4HHHw
z%;C@Q%Bah$_tP}6*m?K5W`~hazu1W<qcH94>FES~6+30=J-Ac!hshuf+dc^mM(2HE
zn8lQEqTe6Ye|J&398)<9V)3#Kv(SjL+ag&v^}glG1x6h^)-W4dHS27N>b$qu{^Er&
zVqvz-(v)8x$#eE2?UOJm2A*-~A7)`j%j%K`ZH}_k(T3UNP3rVQp5cv_eSCht!ffg$
ze0=a30aH4bFk5~TS$ZihKCaX=kWG8p_Gp~s6OFS5c0(=3aTg#zY4LdCNET)*ZZZ<z
z6G_ps`&}y}h6P1pOZM2~)--)6_XWME!*`B~E|~gO`r4dx+8I}Cq;Fz=$%ol0FSX=s
z_oJ<Gx3Y@X0XIsWmbAX2{9cSB%;tP3iY@&^MGb0Uqg-d)j(B49Q*^F=)%p6>-m;pb
z5wOo_1UXn1$2|)DV$W8Ly<wLA6k2YKYStBNrr?mc72>9720GSy$t88%56PIYx12Zx
z6nWg`d9+47xp3-NST$DIa`pZA?)KwbW_1?p-nfd^tWe+OY^u)J=UmV#a0H2&W=iyp
zgF={n7iuJoZYG2)Z;0GFU49$h^SHO-rkm#z8#cR+do%7$xETT%E_{f947?=s;`)@Q
z+%~uEY(kscu<dNdZzKNd@!pE9YzuOBLZS`*H@lK`8=ndOW0xnMy%&n1htq)}T<)}?
z1rcJXWJA-8Hiq1sj-#bf7yBF0M}xcBK2uDy@6AzL-B@e%Pa`hB4ds+-bhSF1{1&$d
z;ri$1m+P<I1#fQ4r=4f3hs963_r+1^5~NGx8gsY@EXJY&EWN&DEQ{OmeV#x)`ha2#
zqYW3w>r?e;Z5SgO!E*y<Zy)^50N5Nrzj^3-2>Yl(1g{}j1xLV0%-!+~au)Zzka|7h
z)j`)<@i;K(YJ2}QiazUcm^kHnr}vtHHlJ{$Xt@QqHy@9rW}OtZdC-o)*Bye6gLwKj
z{0JJO)YyuxV7Xn?5Uheb?+N$_TG`jXeQ~^h4Z<<5_!;1R4<yDRGXPCmZ8z?A*k+$~
z!!nvduLri)jVJB3&pKVY5AW^Z+YL+WMOiP>Ex23pdq3FkL0%J5ZD_9#Z=HDWLydOi
z<RRUHU)E<&y?A!HKgxIFsMdv+Iw9YMa<-F)ynpUM?`)|Nk{$SE%^t|MAg=`_z0Qi+
zUz^M4O1K|Bb^x<aov7Jv*H#;J@4?LjVu#bA8E?$##<R)w%G%T^4=p?Jqy&2)&1d&t
znmD|MEYtSG-78<SM-eNy{`{IPO|4`m(IL;}JfCwD8y%qS!r>!JoX_vnzW3$C!hLVt
zU%c<V_W!f*y`2c~Dm?mXMu2wMRU84Hiz2|L?JKvYQje$z@b-!T2jJZ|xcDH?FVA1<
z>q}EB^!yArxZwBc|7-B{;oR)USH@P+|NnZC|Bw5N{r~UYng0JTtLp!`&*+@@|6h&#
z|CcM}|5xV(u=4$W=~s!;uQ{bBF`WjQ+<siAfw$;1;Nt+}K^pM@A8p-rxvb(}i~qgu
zPMrsSz9=5V{l)R%`a3fo{BhOdK|9WbJc;_#<s7~UosZ%{3%<$eix9u2-03euZ)H5t
z*+5@~_}>})m)z3RKxt~lX9N0wT_PX?A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`H
zAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F
z0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+
zA|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`H
zAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F
z0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+
qA|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wVBsB=BE1tuJZ-

literal 0
HcmV?d00001

diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_reg_system_restore_modification/7c06ab9b-b1d2-4ba9-b06e-09491ded20d9.json b/regression_data/rules/windows/process_creation/proc_creation_win_reg_system_restore_modification/7c06ab9b-b1d2-4ba9-b06e-09491ded20d9.json
new file mode 100644
index 000000000..121aeb0c2
--- /dev/null
+++ b/regression_data/rules/windows/process_creation/proc_creation_win_reg_system_restore_modification/7c06ab9b-b1d2-4ba9-b06e-09491ded20d9.json
@@ -0,0 +1,264 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-03-11T05:43:26.345335Z"
+        }
+      },
+      "EventRecordID": 35549,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3208,
+          "ThreadID": 1724
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-03-11 05:43:26.311",
+      "ProcessGuid": "0197231E-00FE-69B1-981A-000000000800",
+      "ProcessId": 376,
+      "Image": "C:\\Windows\\System32\\reg.exe",
+      "FileVersion": "10.0.26100.1 (WinBuild.160101.0800)",
+      "Description": "Registry Console Tool",
+      "Product": "Microsoft® Windows® Operating System",
+      "Company": "Microsoft Corporation",
+      "OriginalFileName": "reg.exe",
+      "CommandLine": "reg  add \"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\" /v \"DisableConfig\" /t \"REG_DWORD\" /d \"1\" /f",
+      "CurrentDirectory": "C:\\Windows\\System32\\",
+      "User": "swachchhanda\\xodih",
+      "LogonGuid": "0197231E-AB9F-67AA-4C14-030000000000",
+      "LogonId": "0x3144c",
+      "TerminalSessionId": 1,
+      "IntegrityLevel": "High",
+      "Hashes": "MD5=573EB13AC2BA31E9C2E17FB6DAD14154,SHA256=E295E776FD4F7F73DFAAA5698A19EA7A2F4A2F0C5E1681FAC94E45D00296C926,IMPHASH=A26BCB048DF34CBB422F2656F38634D0",
+      "ParentProcessGuid": "0197231E-5098-69AE-5814-000000000800",
+      "ParentProcessId": 15816,
+      "ParentImage": "C:\\Windows\\System32\\cmd.exe",
+      "ParentCommandLine": "cmd.exe",
+      "ParentUser": "swachchhanda\\xodih"
+    }
+  }
+}
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-03-11T05:43:26.390084Z"
+        }
+      },
+      "EventRecordID": 35550,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3208,
+          "ThreadID": 1724
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-03-11 05:43:26.378",
+      "ProcessGuid": "0197231E-00FE-69B1-991A-000000000800",
+      "ProcessId": 12068,
+      "Image": "C:\\Windows\\System32\\reg.exe",
+      "FileVersion": "10.0.26100.1 (WinBuild.160101.0800)",
+      "Description": "Registry Console Tool",
+      "Product": "Microsoft® Windows® Operating System",
+      "Company": "Microsoft Corporation",
+      "OriginalFileName": "reg.exe",
+      "CommandLine": "reg  add \"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\" /v \"DisableSR\" /t \"REG_DWORD\" /d \"1\" /f",
+      "CurrentDirectory": "C:\\Windows\\System32\\",
+      "User": "swachchhanda\\xodih",
+      "LogonGuid": "0197231E-AB9F-67AA-4C14-030000000000",
+      "LogonId": "0x3144c",
+      "TerminalSessionId": 1,
+      "IntegrityLevel": "High",
+      "Hashes": "MD5=573EB13AC2BA31E9C2E17FB6DAD14154,SHA256=E295E776FD4F7F73DFAAA5698A19EA7A2F4A2F0C5E1681FAC94E45D00296C926,IMPHASH=A26BCB048DF34CBB422F2656F38634D0",
+      "ParentProcessGuid": "0197231E-5098-69AE-5814-000000000800",
+      "ParentProcessId": 15816,
+      "ParentImage": "C:\\Windows\\System32\\cmd.exe",
+      "ParentCommandLine": "cmd.exe",
+      "ParentUser": "swachchhanda\\xodih"
+    }
+  }
+}
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-03-11T05:43:26.438522Z"
+        }
+      },
+      "EventRecordID": 35551,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3208,
+          "ThreadID": 1724
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-03-11 05:43:26.429",
+      "ProcessGuid": "0197231E-00FE-69B1-9A1A-000000000800",
+      "ProcessId": 2964,
+      "Image": "C:\\Windows\\System32\\reg.exe",
+      "FileVersion": "10.0.26100.1 (WinBuild.160101.0800)",
+      "Description": "Registry Console Tool",
+      "Product": "Microsoft® Windows® Operating System",
+      "Company": "Microsoft Corporation",
+      "OriginalFileName": "reg.exe",
+      "CommandLine": "reg  add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\" /v \"DisableConfig\" /t \"REG_DWORD\" /d \"1\" /f",
+      "CurrentDirectory": "C:\\Windows\\System32\\",
+      "User": "swachchhanda\\xodih",
+      "LogonGuid": "0197231E-AB9F-67AA-4C14-030000000000",
+      "LogonId": "0x3144c",
+      "TerminalSessionId": 1,
+      "IntegrityLevel": "High",
+      "Hashes": "MD5=573EB13AC2BA31E9C2E17FB6DAD14154,SHA256=E295E776FD4F7F73DFAAA5698A19EA7A2F4A2F0C5E1681FAC94E45D00296C926,IMPHASH=A26BCB048DF34CBB422F2656F38634D0",
+      "ParentProcessGuid": "0197231E-5098-69AE-5814-000000000800",
+      "ParentProcessId": 15816,
+      "ParentImage": "C:\\Windows\\System32\\cmd.exe",
+      "ParentCommandLine": "cmd.exe",
+      "ParentUser": "swachchhanda\\xodih"
+    }
+  }
+}
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-03-11T05:43:27.502020Z"
+        }
+      },
+      "EventRecordID": 35552,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3208,
+          "ThreadID": 1724
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-03-11 05:43:27.480",
+      "ProcessGuid": "0197231E-00FF-69B1-9B1A-000000000800",
+      "ProcessId": 13620,
+      "Image": "C:\\Windows\\System32\\reg.exe",
+      "FileVersion": "10.0.26100.1 (WinBuild.160101.0800)",
+      "Description": "Registry Console Tool",
+      "Product": "Microsoft® Windows® Operating System",
+      "Company": "Microsoft Corporation",
+      "OriginalFileName": "reg.exe",
+      "CommandLine": "reg  add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\" /v \"DisableSR\" /t \"REG_DWORD\" /d \"1\" /f",
+      "CurrentDirectory": "C:\\Windows\\System32\\",
+      "User": "swachchhanda\\xodih",
+      "LogonGuid": "0197231E-AB9F-67AA-4C14-030000000000",
+      "LogonId": "0x3144c",
+      "TerminalSessionId": 1,
+      "IntegrityLevel": "High",
+      "Hashes": "MD5=573EB13AC2BA31E9C2E17FB6DAD14154,SHA256=E295E776FD4F7F73DFAAA5698A19EA7A2F4A2F0C5E1681FAC94E45D00296C926,IMPHASH=A26BCB048DF34CBB422F2656F38634D0",
+      "ParentProcessGuid": "0197231E-5098-69AE-5814-000000000800",
+      "ParentProcessId": 15816,
+      "ParentImage": "C:\\Windows\\System32\\cmd.exe",
+      "ParentCommandLine": "cmd.exe",
+      "ParentUser": "swachchhanda\\xodih"
+    }
+  }
+}
diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_reg_system_restore_modification/info.yml b/regression_data/rules/windows/process_creation/proc_creation_win_reg_system_restore_modification/info.yml
new file mode 100644
index 000000000..91d85277a
--- /dev/null
+++ b/regression_data/rules/windows/process_creation/proc_creation_win_reg_system_restore_modification/info.yml
@@ -0,0 +1,13 @@
+id: 75a7a650-1934-4994-9447-addc8cea2c50
+description: N/A
+date: 2026-03-11
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: 7c06ab9b-b1d2-4ba9-b06e-09491ded20d9
+      title: System Restore Registry Modification via CommandLine
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 4
+      path: regression_data/rules/windows/process_creation/proc_creation_win_reg_system_restore_modification/7c06ab9b-b1d2-4ba9-b06e-09491ded20d9.evtx
diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_schtasks_delete/dbc1f800-0fe0-4bc0-9c66-292c2abe3f78.evtx b/regression_data/rules/windows/process_creation/proc_creation_win_schtasks_delete/dbc1f800-0fe0-4bc0-9c66-292c2abe3f78.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..12fcdcd528e521d3dba0d087d217507ab4d0dd97
GIT binary patch
literal 69632
zcmeI0U2I%O701uL`{DK4yKA>`DWM5Y+Cmbr<HT9VP8y26>m{KMn10YAS*k31?QCPO
zqu6O1f=~p6(n`?sfP&Nq5K`3-P^3N}p{i0PBm_@Is*3m!sz68xUMfme0jetV|Igg(
zYrD3S&?lt-UCr*y+%sp+{LYy(V~@_w)EaYjTmOVn$3^^xmNM%I){A`L_V9n+{nQ6m
zA_XEK0wN#+A|L`HAOa#F0wN#+A|L`+B``WSQ#sW<ZSi0CoBdv-Cj3+2RHxaq-@NJ4
zRTW=Ffb%@|o6E1Q7Tb|E%jeAA&Y1lzz50#WLG&NPzag&odG#t|9><(~c3@6E|BB>)
z67{q1Y4pvkv*%8<{~i64Wc#`~<|ADk`+QVC3E3KSzO+scWv=!4OG_g8vG^Y}N!R~W
z+qVxsE!m3yr`~(}&FwG#F(?IrwFhq;ee=0^Cf4`-{pq`R|M_>XUwppv*{84)N)30~
zH&EpQ`MlJgu~B>2>ejR+v>!vsJ`}xtxs<U-ZQkbaauF{wLD^10Y{|~p5!;W?qD`Tv
z4w*^Rd-2;q&skeQYr$q9*^Bl9`uE!-c-O@5LF>ck5Ndrki0}H!^owg+VX(aXI(!xT
zZQ<Um-DBsWdCAR)03Tjn{u1npJ^I##oQ=ELAI4nMkUERE11PmP81MRC+CB$k=ke04
zShOJfKok#qyVCX<JLg8?Rmn=J;gp?(*q0-TcP3j_!8&18y!$vxmLW$qd;gHPFF?g4
zkTtOUhBJZaifPM+#gt{!L7VMHM;z%lx3<_9Be4cZHSsPiwplujJ+~8$IK-!4&Da<O
z>8m*>WE2YR7Bp^&;&k*v+U|9}IPFA2P8e7>8r%YWuI$X(=ixxQg@`y^KusCD4UKr`
zJoM|F-G$fZ;kN~FoCbG_W~?g>?Bi&BH_~|YJ8hV>;h0t+T89C2(KKWn9_}K>)EyV{
zYdjba0-mgOrh+`8CCMeVRACkEyP=RK(-KcUEaojwTP|TxoDhEW&o-+#G1@WbEQzsB
zK(1Dcc6k1+ybVL+5)5awEMcWyZ?VNnStbR#z5I(#<J4Xg*R;u?0>fo_c^-4bN#tig
zZN&l}b%vjF6M6R@rycO7(U$ygTcenrg5V-Pkrg@1Wtm#(+Dk(@5Iz;LjR6!}Etd*9
zTsScq^Z7bLv;xUV1X9!4O{aBOkPeoY?|=Za8Xb4EnRB4#5ehWU@0BnUw8Ml)FrFKm
z#p{|z4_S{uMVy3x*qehp>6UY_%p)}WC?v9RKAsuN+I>(+?a{j0?Z#BP*lD}cb^}Ba
zdafW+abWpX<gCkbhNBBl8a0-j<((XcyZ%13I;>>J@%!!8T~14U8rsD;FMg}t>}4qZ
z>l1DeGMJaiaO#t=d2O=lvHQ{2gqIh<V9|P_aGgiHX%7ybxqsi!|5SNpEc;I5$#;K$
zz2o=0eMc1BA3iFXDSYz&>WQVn_{d<rZR+TQ!Dk=;<$L$Nu<Z>vj8gF7YpC+n<x~9{
z11wJ7Ri}0m{mhF)_~j|gID29tja<b^`S!yoS?0q`kV9;rg9Y`KoER415<2?!X#9r~
z=@z(h3B=-U8x~*@WqTr7=X$TXZCy~ui8U;QR^phw(U^}U`rp41rY$U_EJyiWkvzR0
zS)V~j@!*+-{b2!Nw5csM(B>-FCfcx&*<wr;@;u%c*=JV#6&A8v@bQPwG?+56goTzZ
zWSOP7`M6WhLpJAS4@c`HpJ<&Oh#Oili_(ProW<*jPqMJky2VQTOeDp~9&=hq3>%8X
zHk`5I_B3-S?*&ziVV$dD3Z}hnel&f~IOA@O>`kw1`LNLLr8e~T7<A3Los~of(kN}(
zF!~bt6Ie%BDEgx)j`U9?7IY#;xzBhV@x+*?m|Xp?^W#fCvihSHaL#B2MMM_YU59;f
zW=qcAu)ur@D{qZPb|oXTNJzX2@lv!18#}$^hBl5vGA8UJCq4oa9yfR%<!B~%ocbMB
z!VcSPykFmqetnzl&SdQBU9{~Q?cFS<y8L+hf>E&}A(LNYZ+s|(g_|%UZA>#EQh9Hb
z)|v7@jd~4b1chmSAIi-rUqRV}avKVd03H|qh=2^TB>UJNz<XTqoLrB)b{<4u53Zg4
z_&$J7H|k|vWy|<If_546_u;qCcHVk9xE#LNcxF2cgRXxR4aemXn^<>3Osu)k^kbF@
z_?_n_lkK9NM(IT?@D@P5)ZYuK0oP)kR_uwij$qd@Q%$@6fykBvZqy)JeYO{o?e%tJ
zX3oPqiO=C@p^1KJx|`>$+ri06(~Xe}_{?o^?p?viwI?5YcuP!9t0wjW=S(i(??3<i
z{AV$aSt6NxGa~EzyD`IltcUlly4!zj&$!+ttg9P$orw+X-`Xp@zwwU-+EmB*dvNOQ
zz7B70d>fj8PkDoGzz2+$AN=@**|BXnR`JBY0qVygF$<ZK$f9LChKL@(9dZx{_b_@6
z<Gatr<^fn##h*nZ=<CCG1-*wMN579^R2grFQ2!+CKaNoc(K7&jjNK|q8B&LwOa*T%
zXdS?)QH&pO`q?w&v{X?WMt#WXAHmxJ)CbYxeBPoO#?l6As6j8SDP!LZLTeRohEQnf
z5bQaDwT(NQXxTAHl$``+`%w<za~N9soi@%vO<Xl~^+R?Lg<40QEu{JV@hgo7wvlDd
zes%2H_udq8K6j7bacf(f-D_8S5)<<8Yds<$0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F
z0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+
zA|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`H
zAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F
z0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+
zA|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`H
zAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F
W0wN#+A|L`HAOa#F0wVDLPT;>2J8_`^

literal 0
HcmV?d00001

diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_schtasks_delete/dbc1f800-0fe0-4bc0-9c66-292c2abe3f78.json b/regression_data/rules/windows/process_creation/proc_creation_win_schtasks_delete/dbc1f800-0fe0-4bc0-9c66-292c2abe3f78.json
new file mode 100644
index 000000000..01e6324b7
--- /dev/null
+++ b/regression_data/rules/windows/process_creation/proc_creation_win_schtasks_delete/dbc1f800-0fe0-4bc0-9c66-292c2abe3f78.json
@@ -0,0 +1,66 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-03-11T05:50:15.050582Z"
+        }
+      },
+      "EventRecordID": 35558,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3208,
+          "ThreadID": 1724
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-03-11 05:50:15.010",
+      "ProcessGuid": "0197231E-0297-69B1-A51A-000000000800",
+      "ProcessId": 3824,
+      "Image": "C:\\Windows\\System32\\schtasks.exe",
+      "FileVersion": "10.0.26100.1 (WinBuild.160101.0800)",
+      "Description": "Task Scheduler Configuration Tool",
+      "Product": "Microsoft® Windows® Operating System",
+      "Company": "Microsoft Corporation",
+      "OriginalFileName": "schtasks.exe",
+      "CommandLine": "schtasks  /delete /f /tn \"\\Microsoft\\Windows\\SystemRestore\\SR\"",
+      "CurrentDirectory": "C:\\Windows\\System32\\",
+      "User": "swachchhanda\\xodih",
+      "LogonGuid": "0197231E-AB9F-67AA-4C14-030000000000",
+      "LogonId": "0x3144c",
+      "TerminalSessionId": 1,
+      "IntegrityLevel": "High",
+      "Hashes": "MD5=F6A8EAD7A0201CD4B70BC27880EF5D90,SHA256=50D05E4D9CACE1FE8620CE95DDEA9978B26987787A0FFBCFEF4C25381DB9BB79,IMPHASH=15B98131447F3FE7853021D3B8BDBE26",
+      "ParentProcessGuid": "0197231E-5098-69AE-5814-000000000800",
+      "ParentProcessId": 15816,
+      "ParentImage": "C:\\Windows\\System32\\cmd.exe",
+      "ParentCommandLine": "cmd.exe",
+      "ParentUser": "swachchhanda\\xodih"
+    }
+  }
+}
diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_schtasks_delete/info.yml b/regression_data/rules/windows/process_creation/proc_creation_win_schtasks_delete/info.yml
new file mode 100644
index 000000000..a26c8b222
--- /dev/null
+++ b/regression_data/rules/windows/process_creation/proc_creation_win_schtasks_delete/info.yml
@@ -0,0 +1,13 @@
+id: 26749dc2-d5d4-4e6e-917a-b21be70dde32
+description: N/A
+date: 2026-03-11
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: dbc1f800-0fe0-4bc0-9c66-292c2abe3f78
+      title: Delete Important Scheduled Task
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/process_creation/proc_creation_win_schtasks_delete/dbc1f800-0fe0-4bc0-9c66-292c2abe3f78.evtx
diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_schtasks_disable/9ac94dc8-9042-493c-ba45-3b5e7c86b980.evtx b/regression_data/rules/windows/process_creation/proc_creation_win_schtasks_disable/9ac94dc8-9042-493c-ba45-3b5e7c86b980.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..ccc4fcd199d252a2b320865ba19ff618ceb0b4f4
GIT binary patch
literal 69632
zcmeI1U2I%O701uL`{DK4yKA>Gl+pwzEzp?SvE!^iNCVirUJ`0UXcJl_i(<02v(0)P
zWt}Ez5Q>1Rv`A1M5Ji0e@d7O<QXi0@sssX|@>C>L35ZYy;sJO;DyRZfA@l#w-0QVn
z+ezsQ5C6NmyYq48%$eUgb7ta9)fXzY`n+v^!l>a2enU%`bp@M6-g157->-k*Eh~`%
z5fA|p5CIVo0TB=Z5fA|p5CIVof$I{OsxOpIH_ll6ulwzOuTT^IDDYIb*|q)`e|}xX
z*Ad`6CqMPsZ>|^Hoi@v6%>I!w`%7|tkJ&-AAHkm?-t6<zb;dl7Ir;3yoP7Qn$^Rf~
zXWP?gTi9gJ2T}i5^hc6gH_fpW>EhUDqVf!6E71A;COwq7(dSQXEy?%9f1qhK{ZFO7
zKKQg?YyQ9X(`%3HdG7Z?AqcE9c;)clz8BBL@|}Nu`rdti{O!wEp6UMXlUNC*Cc5p5
zC~|>(p6^WAls#<o*02@SAH$n|DC&Hnkg|)mWOZ~l(UA&@b{b+UcGli+2k>dyDYVQ(
zW)9^6{MOKN&X!SIwgpHIpuUXu19ky@4g4OoL3|FOG-zY^o?n~3xuF&YtE(@=SFzug
zPo(WWy9CWEZbk(7#OmrNVOQ+YS1)JmxSRc9%vFWdIrNU;t;E52&)1XoQ5d^~PP2U8
zg7gDXJnZjD+K27D8;P!h6%rE(n}OIPk;H3rZR=nivoiYLi#N@XqniEKvi5PPm;<sJ
zmS1xw5M4fL=`f$LbTa6$eQ1ay{g(DN`$QyG1E~i3!hDA%lh|{6P>Dml`clfKAxK}<
zosdx|wA)a*EsE2r%Sk)od~wE!gq$$2UR1aR_*~tSwvWMqbPEx2x`3Keb_Xi)&Uxrp
z8M_DFm*BT$aIAtmMN`(31oq>od@a&=_$wWlwC0$WAUY2N=%OlQ93Ji>#?;-Hvl~1Z
z4+5UFbti%>qNSBfDv8`W+V?^sO{OKDe3;K#mbN^KL2*L(&fhz%<iu!4-B}W2orPSb
z67BHpt67_X#uXUOXj#EZz21DA71B%!bbIj^-NvcCCa!6lK{<xY>gp2ah?B^Ve%Ou$
zTy%z?cN2N{9;F@drqPz{Z`z}nJq5ugK9Lm}%cPlF>DoufGa!6AVjBa<w_7F=bh&V1
zGUoFIglGwpa|on{vzt!qvLG3(uHFp+W;HtQa3kYDEg=+WoZl;9D(Hj>7cib1o3GbZ
zMGIL^LPeZ}zdewFJL#75u*@Sgdlw|qaXwy{PTNT+r1ofCopy5~neVo}NxKQ62tD^A
zQgLAURb;HkGKQlIPZA}*8Ou6340r8=sC8Mvj^g*n?R%Y;_%yUDabEmVr`Zco+V^EQ
z2pP=Fq&W2qY~Glx`t5$SHQ?oCFlbtT6s}9CH|)W&v-kJ?><^`%Os8L~ef9O<z1i^x
z+`c0U?hhZ8%oIL(f9}}ISbSu#+;QsggTY50fAK#jpWXEe97ZYl@Yg8v)a6tDJOeCF
z-esqD4(-f~<M`z%%s6{uIf-1wN!j}jylLjcRFFYzpN9qWYdJB@!6kI`yQA@MZ%Mbo
zl`9|?Z`&{jizwS4$vW42%^jP9I!>%%F0=y2?2pF0v!(xy8=-1pE@2tU?~UZ?{mA+h
zLW&2^BJ2-y2%~Lnsem?DxiQg(xzrA0%8=*r#>hUq=C3f9-hq!le5zo|#1iJ(c93P3
z;^yN{y#(2emmQ7PNj}j!yAU_DVi9ix@^y>X6Q5*Zu6>7<_?bwGkv;9SkQg=;iETM!
z$?a+8P~Hp57{fAG#S~0?JN#(+oN>n88rhp%+wx(q(@SmX?P=&*bUUjR9Y~|JY0Kzq
z$sfZy!d%`TMRBCRuVq0uVwC%g*AY*Qd5X!^?>axe;3I1|S^?*bR**+zaozK<FV1YO
zvp38!pTf%9qmezWk!d6(UWIrmYQn~DFS(_S#~~RL_K_1G0WBUkc^<`RCU>0r9ag{&
z+itvH-_3q~+w9KP*!8<;*A3dcT}<`(@$?0wVt0#7c7wg~p%CWYh7n0)nhBB02copj
zl>Z@=D|jdIGR^nly#?=+c-eOcULFBFF8mPz8DvSeu|9%+T=1M+zq@uGL|Z?uox}JZ
z!lxJI5nN@5tcdSnTt^2WcL<+7w|^seBJ*7B&$q%b==wDN>$3!z*-a<J?1l@?Fh<Y9
z?>sk|Y@2ol?*L+fw}2tcHsD^`!5Ztd;?79xBz7G$Rn@hRpr2AhZq%5Q-;c=ldV4W5
z=i!~i=kRmTM87oL&2!Q1;MPggi;>It)VDbIu43fIlaDRDCALnh2KEByY+b<Lc>ekM
z&tV+1L~HKth-}y1i<u6r-D8;FSwDeOsu#DN*)3MEvtM|F<3Af{)jY=EhjVYA(^&=Y
zCM^AoJ0HA<<JfFM@*>7i<}}J>lrMm89lvvEWxwa)?+5h!);Fj1dKg*X`u?+v)4Om4
z<B5L*l#gPjMa(sWxr%lK(LaLw<`@q73ABvjd(g%45ZIIvrITnI#CHj;qmW~aOkq?J
zz2hj~1^bR-)Iqe2KwlAUWxPd59da@y^p;Q?!l)^XA94EGGVZjLQJO$`-07c0?+D6c
zsBu1TQ3YdZ12t5jm(~>BZW_WIlaQapXB5A8A+OFL56~uBb_DYlox~VQ!+5#(MxkZc
zY2zH!#8p$*Fl5K@QtOnng*2Z!ezo?%F0#znFOS^#K0Sr=fjiCb&W*Jj@g!%&!+($K
z5djep0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo
z0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z
z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p
z5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo
z0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z
z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p
x5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVof&VuG{{<Aad7S_N

literal 0
HcmV?d00001

diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_schtasks_disable/9ac94dc8-9042-493c-ba45-3b5e7c86b980.json b/regression_data/rules/windows/process_creation/proc_creation_win_schtasks_disable/9ac94dc8-9042-493c-ba45-3b5e7c86b980.json
new file mode 100644
index 000000000..a223a56fb
--- /dev/null
+++ b/regression_data/rules/windows/process_creation/proc_creation_win_schtasks_disable/9ac94dc8-9042-493c-ba45-3b5e7c86b980.json
@@ -0,0 +1,66 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-03-11T06:15:38.256405Z"
+        }
+      },
+      "EventRecordID": 35626,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3208,
+          "ThreadID": 1724
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-03-11 06:15:38.244",
+      "ProcessGuid": "0197231E-088A-69B1-E71A-000000000800",
+      "ProcessId": 15968,
+      "Image": "C:\\Windows\\System32\\schtasks.exe",
+      "FileVersion": "10.0.26100.1 (WinBuild.160101.0800)",
+      "Description": "Task Scheduler Configuration Tool",
+      "Product": "Microsoft® Windows® Operating System",
+      "Company": "Microsoft Corporation",
+      "OriginalFileName": "schtasks.exe",
+      "CommandLine": "schtasks.exe  /Change /TN \"\\Microsoft\\Windows\\SystemRestore\\SR\" /disable",
+      "CurrentDirectory": "C:\\Users\\xodih\\Downloads\\Sysmon\\",
+      "User": "swachchhanda\\xodih",
+      "LogonGuid": "0197231E-AB9F-67AA-4C14-030000000000",
+      "LogonId": "0x3144c",
+      "TerminalSessionId": 1,
+      "IntegrityLevel": "High",
+      "Hashes": "MD5=F6A8EAD7A0201CD4B70BC27880EF5D90,SHA256=50D05E4D9CACE1FE8620CE95DDEA9978B26987787A0FFBCFEF4C25381DB9BB79,IMPHASH=15B98131447F3FE7853021D3B8BDBE26",
+      "ParentProcessGuid": "0197231E-5098-69AE-5814-000000000800",
+      "ParentProcessId": 15816,
+      "ParentImage": "C:\\Windows\\System32\\cmd.exe",
+      "ParentCommandLine": "cmd.exe",
+      "ParentUser": "swachchhanda\\xodih"
+    }
+  }
+}
diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_schtasks_disable/info.yml b/regression_data/rules/windows/process_creation/proc_creation_win_schtasks_disable/info.yml
new file mode 100644
index 000000000..4bd57eaf7
--- /dev/null
+++ b/regression_data/rules/windows/process_creation/proc_creation_win_schtasks_disable/info.yml
@@ -0,0 +1,13 @@
+id: 081cb657-2a63-4c7f-8c93-3610f7555370
+description: N/A
+date: 2026-03-11
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980
+      title: Disable Important Scheduled Task
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/process_creation/proc_creation_win_schtasks_disable/9ac94dc8-9042-493c-ba45-3b5e7c86b980.evtx
diff --git a/regression_data/rules/windows/registry/registry_set/registry_set_disable_system_restore/5de03871-5d46-4539-a82d-3aa992a69a83.evtx b/regression_data/rules/windows/registry/registry_set/registry_set_disable_system_restore/5de03871-5d46-4539-a82d-3aa992a69a83.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..0b3a43daf4930c182251dac68bd30dca353c8727
GIT binary patch
literal 69632
zcmeI$Yitx%6bJA#v$NCfw!3XbBJwB{kXM8PrC1)uU>`sz4+~OFnwUbjbW6J>wB;d*
zX%KvXf|?i;(Zt{fAu$*}Xb>SLCM14PG=?Y|Lo|L7KN!&vNr+kh=gytBl$St>f&6E?
z-JO{;_ul#4GiP?Ux~;h;-IkJpOVn=Y!K*6~kwRx+$StpbQMYy3EjPjjC_n)UP=Epy
zpa2CZKmiI+fC3b_u0VBLb7f0ry@cQHJ$uB!^&V`G6^Wc4B2qo}neEqY_&NdF{*1R@
zs^}j!$`^^pME=5$55I;3u>mu&{bBqJaih!0>m2hU`qX8V{lVjJ8~?uDuKV_3Tl0YN
zJc9KLuI?2XKA?~G@W&JEJ80i8MQjb)JUXBq)4)yq`z7Zl4!Xi2Q>KWt<Vx@S7ya?k
zkr9V~bP60t@|`pDem^k5o~6E@bar3e*q=|I>N!~S-YYm0japD7JMdOdP?w|mQK^<q
zl9G&cVf}eL{Z_m4SV2^_NV~LQXD4<<opNbGSeI;&xl)Qpr>w=66k;0jei~lW*s@VN
zu+|~Xh@6J?4s0)#&DfX0>r9!B$1J>?E*1En>g~Ssk~P=KW=~<R!g=dh<;zOhik7=f
zkNBl)K{op&#ud)!xot67VS3+$zM2rV5qoFjSraDXlGi<1hQYRDr${m>j{k(shsi@d
zSt#A+NbD+*g2;l1EJfJUHsX9^PCu;0QiXjJ@$@z2w3*32#N{zG(Fn3MPCspipma%3
zd^Z^p-*fV0EH;FhJ}fs!R@<;Nq%zp&CiBGeaLpBCB~0<AlToQfpw3mB2@(x*Wh7Qc
z+B~h^=E*8E7wb)ks~tKr1}l0A=yIsom*tp1ofak1?i_6?D&w&dUOBB_#bgO~Z^gWI
zz_AJL8XA?M9@tl4<yG6_yghm7G;K^P5t_mPbc&h~V|er`(wv&VEq=)ih6jPim!gOh
zN4E6UlA1`OpLQJ@)FJCg0(mzXm$;5)Ck_e=!u~(=q|$`xINHoeLe>Vv)zsK4Jbo@N
z3(#U02CmuCg)<G>P3A~}uSG$pz5GOxXxBkYdQMk4D52?+&9<YDu!tP_Fc&AV#SFaL
zbQDbQA{_^2Q*<ox?{aO<u0>!c9(EKliTPSub!vCci9xu<+J*qhT!}@TLX%EfjCFYy
zDO!ohMkG?kj9VwIP#n+6X6GY7tC~*SyiCkMwIdaDaKW|WMxA^NVKa``3tOK-TTR%a
z){mlzun501Er#jTY3atu0z#3|i15RD++6F+<7iM@x962FLn2<XNJ>1p2cbwk^F*fN
zm+RmxVlq@>g4-7s5AXCDleme);b!}EtQAUuEW+!{krKot@UTlySQlT&7deJTFYXHV
zxVRW}iE7tNG3HB))l{j+whU&u0|uQk)uwAZ)-&={#fJJRpZ!$%X{~=gz4zkxH+p=j
zx$cxgua6)rwNeDdd)QmKhx9g~1zg{MyYR~uhg<g-w@o}S`V2;`QJBMT@K*1-x>Rk~
z1PhCIm1(vS+qEvv!K>bdHP3c+c&Js{sqVcWPhaa{)QKUtyD@@PZ%uSz=;%aGw#Sd?
zi|*gqDqJobaGaaKs5Jfo8-HJ4d=93*3&P=L?k3zIcB+jvsS=DNZ@@(m7GgIMk%Fs^
zCn)xP7fut#gJjY865EGni#^*YQc!PH>&&>L!B|RdoW|R@d{aU<nz$~^*&1oZ5n3wT
zgnx~*twNL%ry<&j*qk6%&r)YX^V#;`^<ETiB8DhWa8F12Yf3vPf<bC)+Rw)OJ$R0{
zPt8c}Wi|R~!`!9J?Q|yMrs8&5hW|707=!oaxJ8%S|7B>i9Jkzuq<GvL&e_P}^wHty
z5bf`nASeTKr2(107+Fw-^Q}i84LF0oTWuM7X)x7i9a>76nzjhHhgw`i4TxSYH8873
zZLC8=HefD0Fgm@u^bXjGEtg*_+GGD~Z47!}Wm@a&S1YgH?zQZvu&)Y7bmGj{n4Hx*
zpD}mYb=XsnQPkmej7-AWZ^5(wV}?w|kyoy34T#ozVH&j#*{`3k^mEqdxDfGYmeIS9
zU*U7sVAZd^&cON=_7~Q#f9{<6b*)T(Zjds$0y!RL@+UTv?;UpMX7Wmtxr3F#_WOY5
zujcV-yrSBh<%0_+Zet$5ds!Zb{e^j)y*u*w%|XfI*{I0ny?K1h=JBGjw<C}Ld;P66
zpXRjQ>NmnmznW;R|9`79vRLz3^ZIMN;)ASN5+!9HU;aIKu<G-^%knzxFU)IacQB4S
z;Pd6R>ho*2oY%AP`JfD+MrNA4{tcfrj@!I`aNOOI*MnQDkv5vgTqr;R3Q&Lo6rcbF
zC_n)UP=Epypa2CZKmiI+fC3bt00k&O0SZun0u-PC1t>rP3Q&Lo6rcbFC_n)UP=Epy
zpa2CZKmiI+fC3bt00k&O0SZun0u-PC1t>rP3Q&Lo6rcbFC_n)UP=Epypa2CZKmiI+
zfC3bt00k&O0SZun0u-PC1t>rP3Q&Lo6rcbFC_n)UP=Epypa2CZKmiI+fC3bt00k&O
z0SZun0u-PC1t>rP3Q&Lo6rcbFC_n)UP=Epypa2CZKmiI+fC3bt00k&O0SZun0u-PC
z1t>rP3Q&Lo6rcbFC_n)UP=Epypa2CZKmiI+fC3bt00k&O0SZun0u-PC1t>rP3Q&Lo
z6rcbFC_n)UP=Epypa2CZKmiI+fC3bt00k&O0SZun0u-PC1t>rP3Q&Lo6rcbFC~!Lj
F{sr>q;R^r&

literal 0
HcmV?d00001

diff --git a/regression_data/rules/windows/registry/registry_set/registry_set_disable_system_restore/5de03871-5d46-4539-a82d-3aa992a69a83.json b/regression_data/rules/windows/registry/registry_set/registry_set_disable_system_restore/5de03871-5d46-4539-a82d-3aa992a69a83.json
new file mode 100644
index 000000000..428bd6b1e
--- /dev/null
+++ b/regression_data/rules/windows/registry/registry_set/registry_set_disable_system_restore/5de03871-5d46-4539-a82d-3aa992a69a83.json
@@ -0,0 +1,208 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 13,
+      "Version": 2,
+      "Level": 4,
+      "Task": 13,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-03-11T05:55:53.550235Z"
+        }
+      },
+      "EventRecordID": 35579,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3208,
+          "ThreadID": 1724
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "EventType": "SetValue",
+      "UtcTime": "2026-03-11 05:55:53.547",
+      "ProcessGuid": "0197231E-03E9-69B1-BA1A-000000000800",
+      "ProcessId": 9860,
+      "Image": "C:\\WINDOWS\\system32\\reg.exe",
+      "TargetObject": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\\DisableConfig",
+      "Details": "DWORD (0x00000001)",
+      "User": "swachchhanda\\xodih"
+    }
+  }
+}
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 13,
+      "Version": 2,
+      "Level": 4,
+      "Task": 13,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-03-11T05:55:53.593526Z"
+        }
+      },
+      "EventRecordID": 35581,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3208,
+          "ThreadID": 1724
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "EventType": "SetValue",
+      "UtcTime": "2026-03-11 05:55:53.581",
+      "ProcessGuid": "0197231E-03E9-69B1-BB1A-000000000800",
+      "ProcessId": 6164,
+      "Image": "C:\\WINDOWS\\system32\\reg.exe",
+      "TargetObject": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\\DisableSR",
+      "Details": "DWORD (0x00000001)",
+      "User": "swachchhanda\\xodih"
+    }
+  }
+}
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 13,
+      "Version": 2,
+      "Level": 4,
+      "Task": 13,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-03-11T05:55:53.648759Z"
+        }
+      },
+      "EventRecordID": 35583,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3208,
+          "ThreadID": 1724
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "EventType": "SetValue",
+      "UtcTime": "2026-03-11 05:55:53.645",
+      "ProcessGuid": "0197231E-03E9-69B1-BC1A-000000000800",
+      "ProcessId": 8776,
+      "Image": "C:\\WINDOWS\\system32\\reg.exe",
+      "TargetObject": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\DisableConfig",
+      "Details": "DWORD (0x00000001)",
+      "User": "swachchhanda\\xodih"
+    }
+  }
+}
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 13,
+      "Version": 2,
+      "Level": 4,
+      "Task": 13,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-03-11T05:55:54.364135Z"
+        }
+      },
+      "EventRecordID": 35585,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3208,
+          "ThreadID": 1724
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "EventType": "SetValue",
+      "UtcTime": "2026-03-11 05:55:54.362",
+      "ProcessGuid": "0197231E-03EA-69B1-BD1A-000000000800",
+      "ProcessId": 9004,
+      "Image": "C:\\WINDOWS\\system32\\reg.exe",
+      "TargetObject": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\DisableSR",
+      "Details": "DWORD (0x00000001)",
+      "User": "swachchhanda\\xodih"
+    }
+  }
+}
diff --git a/regression_data/rules/windows/registry/registry_set/registry_set_disable_system_restore/info.yml b/regression_data/rules/windows/registry/registry_set/registry_set_disable_system_restore/info.yml
new file mode 100644
index 000000000..86feb5f6c
--- /dev/null
+++ b/regression_data/rules/windows/registry/registry_set/registry_set_disable_system_restore/info.yml
@@ -0,0 +1,13 @@
+id: 70b0db86-1b38-48dd-8ddb-29357e0c0149
+description: N/A
+date: 2026-03-11
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: 5de03871-5d46-4539-a82d-3aa992a69a83
+      title: Registry Disable System Restore
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 4
+      path: regression_data/rules/windows/registry/registry_set/registry_set_disable_system_restore/5de03871-5d46-4539-a82d-3aa992a69a83.evtx
diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml
index 852c3c356..f4cbd969e 100644
--- a/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml
+++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml
@@ -38,11 +38,17 @@ detection:
             - '\Windows\WindowsUpdate\'
             - '\Windows\UpdateOrchestrator\Schedule'
             - '\Windows\ExploitGuard'
-    filter_sys_username:
+    filter_main_defender_update:
         EventID: 4699
         SubjectUserName|endswith: '$'  # False positives during upgrades of Defender, where its tasks get removed and added
         TaskName|contains: '\Windows\Windows Defender\'
-    condition: selection and not 1 of filter_*
+    condition: selection and not 1 of filter_main_*
 falsepositives:
     - Unknown
 level: high
+regression_tests_path: regression_data/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable/info.yml
+simulation:
+    - type: atomic-red-team
+      name: Windows - Disable the SR scheduled task
+      technique: T1490
+      atomic_guid: 1c68c68d-83a4-4981-974e-8993055fa034
diff --git a/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete.yml b/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete_or_disable.yml
similarity index 61%
rename from rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete.yml
rename to rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete_or_disable.yml
index 013f25157..3741012fb 100644
--- a/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete.yml
+++ b/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete_or_disable.yml
@@ -1,18 +1,20 @@
-title: Important Scheduled Task Deleted
+title: Important Scheduled Task Deleted or Disabled
 id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d
 related:
     - id: dbc1f800-0fe0-4bc0-9c66-292c2abe3f78 # ProcCreation schtasks delete
       type: similar
     - id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad # Security-Audting Eventlog
       type: similar
+    - id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980 # ProcCreation schtasks disable
+      type: similar
 status: test
 description: |
-    Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities
+    Detects when adversaries try to stop system services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities
 references:
     - https://www.socinvestigation.com/most-common-windows-event-ids-to-hunt-mind-map/
 author: frack113
 date: 2023-01-13
-modified: 2023-02-07
+modified: 2026-03-11
 tags:
     - attack.impact
     - attack.t1489
@@ -22,7 +24,9 @@ logsource:
     definition: 'Requirements: The "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and needs to be enabled in order for this detection to trigger'
 detection:
     selection:
-        EventID: 141
+        EventID:
+            - 141 # Task Deleted
+            - 142 # Task Disabled
         TaskName|contains:
             - '\Windows\SystemRestore\SR'
             - '\Windows\Windows Defender\'
@@ -31,11 +35,17 @@ detection:
             - '\Windows\WindowsUpdate\'
             - '\Windows\UpdateOrchestrator\'
             - '\Windows\ExploitGuard'
-    filter:
+    filter_main_user:
         UserName|contains:
             - 'AUTHORI'
             - 'AUTORI'
-    condition: selection and not filter
+    condition: selection and not 1 of filter_main_*
 falsepositives:
     - Unknown
 level: high
+regression_tests_path: regression_data/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete_or_disable/info.yml
+simulation:
+    - type: atomic-red-team
+      name: Windows - Disable the SR scheduled task
+      technique: T1490
+      atomic_guid: 1c68c68d-83a4-4981-974e-8993055fa034
diff --git a/rules/windows/process_creation/proc_creation_win_reg_system_restore_modification.yml b/rules/windows/process_creation/proc_creation_win_reg_system_restore_modification.yml
new file mode 100644
index 000000000..6f66c5df4
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_reg_system_restore_modification.yml
@@ -0,0 +1,51 @@
+title: System Restore Registry Modification via CommandLine
+id: 7c06ab9b-b1d2-4ba9-b06e-09491ded20d9
+related:
+    - id: 5de03871-5d46-4539-a82d-3aa992a69a83
+      type: similar
+status: experimental
+description: |
+    Detects system restore registry modification via command line, which can be used by adversaries to disable system restore on the computer.
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2026-03-11
+tags:
+    - attack.impact
+    - attack.t1490
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith:
+              - '\powershell.exe'
+              - '\pwsh.exe'
+              - '\reg.exe'
+        - OriginalFileName:
+              - 'powershell.exe'
+              - 'pwsh.dll'
+              - 'reg.exe'
+    selection_cli_action:
+        CommandLine|contains:
+            - ' add '
+            - 'Set-ItemProperty'
+            - 'New-ItemProperty'
+    selection_cli_reg_root:
+        CommandLine|contains:
+            - '\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore'
+            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore'
+    selection_cli_reg_key:
+        CommandLine|contains:
+            - 'DisableConfig'
+            - 'DisableSR'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high
+regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_reg_system_restore_modification/info.yml
+simulation:
+    - type: atomic-red-team
+      name: Disable System Restore Through Registry
+      technique: T1490
+      atomic_guid: 66e647d1-8741-4e43-b7c1-334760c2047f
diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_delete.yml b/rules/windows/process_creation/proc_creation_win_schtasks_delete.yml
index a559cb449..799e0262c 100644
--- a/rules/windows/process_creation/proc_creation_win_schtasks_delete.yml
+++ b/rules/windows/process_creation/proc_creation_win_schtasks_delete.yml
@@ -11,6 +11,7 @@ references:
     - Internal Research
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022-09-09
+modified: 2026-03-11
 tags:
     - attack.impact
     - attack.t1489
@@ -18,11 +19,12 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection:
-        Image|endswith: '\schtasks.exe'
-        CommandLine|contains|all:
-            - '/delete'
-            - '/tn'
+    selection_img:
+        - Image|endswith: '\schtasks.exe'
+        - OriginalFileName: 'schtasks.exe'
+    selection_cli_delete:
+        CommandLine|contains|windash: '/delete'
+    selection_cli_task:
         CommandLine|contains:
             # Add more important tasks
             - '\Windows\BitLocker'
@@ -32,7 +34,8 @@ detection:
             - '\Windows\Windows Defender\'
             - '\Windows\WindowsBackup\'
             - '\Windows\WindowsUpdate\'
-    condition: selection
+    condition: all of selection_*
 falsepositives:
     - Unlikely
 level: high
+regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_schtasks_delete/info.yml
diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml b/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml
index a3ce9380f..6cd17b509 100644
--- a/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml
+++ b/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml
@@ -3,6 +3,8 @@ id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980
 related:
     - id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad # Security-Audting Eventlog
       type: similar
+    - id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d # TaskScheduler EventLog
+      type: similar
 status: test
 description: Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities
 references:
@@ -11,7 +13,7 @@ references:
     - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
 author: frack113, Nasreddine Bencherchali (Nextron Systems), X__Junior
 date: 2021-12-26
-modified: 2024-08-25
+modified: 2026-03-11
 tags:
     - attack.impact
     - attack.t1489
@@ -19,12 +21,12 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection:
-        Image|endswith: '\schtasks.exe'
-        CommandLine|contains|all:
-            - '/Change'
-            - '/TN'
-            - '/disable'
+    selection_img:
+        - Image|endswith: '\schtasks.exe'
+        - OriginalFileName: 'schtasks.exe'
+    selection_cli_disable:
+        CommandLine|contains|windash: '/disable'
+    selection_cli_task:
         CommandLine|contains:
             # Add more important tasks
             - '\Windows\BitLocker'
@@ -35,7 +37,13 @@ detection:
             - '\Windows\Windows Defender\'
             - '\Windows\WindowsBackup\'
             - '\Windows\WindowsUpdate\'
-    condition: selection
+    condition: all of selection_*
 falsepositives:
     - Unknown
 level: high
+regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_schtasks_disable/info.yml
+simulation:
+    - type: atomic-red-team
+      name: Windows - Disable the SR scheduled task
+      technique: T1490
+      atomic_guid: 1c68c68d-83a4-4981-974e-8993055fa034
diff --git a/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml b/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml
index a59931d4d..fec5b0fb3 100644
--- a/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml
+++ b/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml
@@ -1,5 +1,8 @@
 title: Registry Disable System Restore
 id: 5de03871-5d46-4539-a82d-3aa992a69a83
+related:
+    - id: 7c06ab9b-b1d2-4ba9-b06e-09491ded20d9
+      type: similar
 status: test
 description: Detects the modification of the registry to disable a system restore on the computer
 references:
@@ -26,3 +29,9 @@ detection:
 falsepositives:
     - Unknown
 level: high
+regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_disable_system_restore/info.yml
+simulation:
+    - type: atomic-red-team
+      name: Disable System Restore Through Registry
+      technique: T1490
+      atomic_guid: 66e647d1-8741-4e43-b7c1-334760c2047f