diff --git a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml
index d12fbd6dc..757184991 100644
--- a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml
+++ b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/19"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/08/09"
 
 [rule]
 author = ["Elastic"]
@@ -56,7 +56,12 @@ process where event.type == "start" and
        "C:\\PerfLogs\\*",
        "C:\\Intel\\*",
        "C:\\Windows\\Debug\\*",
-       "C:\\HP\\*")
+       "C:\\HP\\*") and
+
+     not (process.name : "cmd.exe" and process.args : "?:\\*.bat" and process.working_directory : "?:\\Windows\\System32\\") and
+     not (process.name : "cscript.exe" and process.args : "?:\\Windows\\system32\\calluxxprovider.vbs") and
+     not (process.name : "powershell.exe" and process.args : ("-File", "-PSConsoleFile") and user.id : "S-1-5-18") and
+     not (process.name : "msiexec.exe" and user.id : "S-1-5-18")
 '''