diff --git a/rules/windows/sysmon/sysmon_win10_sched_task_0day.yml b/rules/windows/sysmon/sysmon_win10_sched_task_0day.yml
index 4020b0978..563b3ad40 100644
--- a/rules/windows/sysmon/sysmon_win10_sched_task_0day.yml
+++ b/rules/windows/sysmon/sysmon_win10_sched_task_0day.yml
@@ -11,7 +11,7 @@ logsource:
 detection:
    selection:
        Image: 'schtasks.exe'
-       CommandLine: '*/change*/TN*/RU*'
+       CommandLine: '*/change*/TN*/RU*/RP*'
    condition: selection
 falsepositives:
    - Unknown