From f6026b697272bafe75b37caa5d2e08678838287c Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Fri, 2 Sep 2022 14:39:52 +0200
Subject: [PATCH] Update proc_creation_win_susp_schtasks_disable.yml

---
 .../proc_creation_win_susp_schtasks_disable.yml            | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml
index 58b736101..bd735578c 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml
@@ -2,13 +2,13 @@ title: Disable Important Scheduled Task
 id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980
 status: experimental
 description: Adversaries may stop services or processes in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange, SQL Server...etc.
-author: frack113
+author: frack113, Nasreddine Bencherchali
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task
     - https://twitter.com/MichalKoczwara/status/1553634816016498688
     - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
 date: 2021/12/26
-modified: 2022/08/01
+modified: 2022/09/02
 logsource:
     category: process_creation
     product: windows
@@ -24,6 +24,9 @@ detection:
             - 'Microsoft\Windows\SystemRestore\SR'
             - 'Microsoft\Windows\Windows Defender\'
             - 'Microsoft\Windows\BitLocker'
+            - 'Microsoft\Windows\WindowsBackup\'
+            - 'Microsoft\Windows\WindowsUpdate\'
+            - 'Microsoft\Windows\UpdateOrchestrator\'
             - 'Windows\ExploitGuard'
     condition: all of schtasks_*
 falsepositives: