From 0f7b29918c2e7f4374b65ffa207ec040758de13d Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Mon, 15 Aug 2022 21:50:23 +0200
Subject: [PATCH] [Rule Tuning] Suspicious Execution via Scheduled Task (#2235)

Excluding`?:\\ProgramData` and few other noisy FP pattern by process.args + name to reduce users alert fatigue.
---
 .../persistence_suspicious_scheduled_task_runtime.toml   | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml
index d12fbd6dc..757184991 100644
--- a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml
+++ b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/19"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/08/09"
 
 [rule]
 author = ["Elastic"]
@@ -56,7 +56,12 @@ process where event.type == "start" and
        "C:\\PerfLogs\\*",
        "C:\\Intel\\*",
        "C:\\Windows\\Debug\\*",
-       "C:\\HP\\*")
+       "C:\\HP\\*") and
+
+     not (process.name : "cmd.exe" and process.args : "?:\\*.bat" and process.working_directory : "?:\\Windows\\System32\\") and
+     not (process.name : "cscript.exe" and process.args : "?:\\Windows\\system32\\calluxxprovider.vbs") and
+     not (process.name : "powershell.exe" and process.args : ("-File", "-PSConsoleFile") and user.id : "S-1-5-18") and
+     not (process.name : "msiexec.exe" and user.id : "S-1-5-18")
 '''