From 1cf7bb5735af721f87f6fe04a2623616e2e36edf Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Wed, 19 May 2021 10:27:20 -0300
Subject: [PATCH] Add Hex equivalent of WriteData

---
 rules/windows/builtin/win_GPO_scheduledtasks.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/rules/windows/builtin/win_GPO_scheduledtasks.yml b/rules/windows/builtin/win_GPO_scheduledtasks.yml
index cd9f525aa..669bcdaa5 100644
--- a/rules/windows/builtin/win_GPO_scheduledtasks.yml
+++ b/rules/windows/builtin/win_GPO_scheduledtasks.yml
@@ -20,7 +20,9 @@ detection:
         EventID: 5145
         ShareName: \\*\SYSVOL
         RelativeTargetName|endswith: 'ScheduledTasks.xml'
-        Accesses|contains: 'WriteData'
+        Accesses|contains: 
+            - 'WriteData'
+            - '%%4417'
     condition: selection
 falsepositives:
     - if the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks