Update proc_creation_win_susp_schtasks_disable.yml

rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml

@@ -2,13 +2,13 @@ title: Disable Important Scheduled Task
 id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980
 status: experimental
 description: Adversaries may stop services or processes in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange, SQL Server...etc.
-author: frack113
+author: frack113, Nasreddine Bencherchali
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task
     - https://twitter.com/MichalKoczwara/status/1553634816016498688
     - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
 date: 2021/12/26
-modified: 2022/08/01
+modified: 2022/09/02
 logsource:
     category: process_creation
     product: windows
@@ -24,6 +24,9 @@ detection:
             - 'Microsoft\Windows\SystemRestore\SR'
             - 'Microsoft\Windows\Windows Defender\'
             - 'Microsoft\Windows\BitLocker'
+            - 'Microsoft\Windows\WindowsBackup\'
+            - 'Microsoft\Windows\WindowsUpdate\'
+            - 'Microsoft\Windows\UpdateOrchestrator\'
             - 'Windows\ExploitGuard'
     condition: all of schtasks_*
 falsepositives: