From b60cfbe244bcb40a7dad6637b4efaf2e6e5a860d Mon Sep 17 00:00:00 2001
From: Olaf Hartong <8149899+olafhartong@users.noreply.github.com>
Date: Wed, 22 May 2019 13:20:26 +0200
Subject: [PATCH] Added password flag

---
 rules/windows/sysmon/sysmon_win10_sched_task_0day.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/sysmon/sysmon_win10_sched_task_0day.yml b/rules/windows/sysmon/sysmon_win10_sched_task_0day.yml
index 4020b0978..563b3ad40 100644
--- a/rules/windows/sysmon/sysmon_win10_sched_task_0day.yml
+++ b/rules/windows/sysmon/sysmon_win10_sched_task_0day.yml
@@ -11,7 +11,7 @@ logsource:
 detection:
    selection:
        Image: 'schtasks.exe'
-       CommandLine: '*/change*/TN*/RU*'
+       CommandLine: '*/change*/TN*/RU*/RP*'
    condition: selection
 falsepositives:
    - Unknown