[Rule Tuning] UAC Bypass via DiskCleanup Scheduled Task Hijack (#988)

* [Rule Tuning] UAC Bypass via DiskCleanup Scheduled Task Hijack

* Update rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/18"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/08"
 
 [rule]
 author = ["Elastic"]
@@ -22,9 +22,11 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-process where event.type in ("start", "process_started") and
-process.args:"/autoclean" and process.args:"/d" and
-not process.executable : ("C:\\Windows\\System32\\cleanmgr.exe", "C:\\Windows\\SysWOW64\\cleanmgr.exe")
+process where event.type == "start" and
+ process.args : "/autoclean" and process.args : "/d" and
+ not process.executable : ("C:\\Windows\\System32\\cleanmgr.exe",
+                           "C:\\Windows\\SysWOW64\\cleanmgr.exe",
+                           "C:\\Windows\\System32\\taskhostw.exe")
 '''
 
 
@@ -45,4 +47,3 @@ reference = "https://attack.mitre.org/techniques/T1548/002/"
 id = "TA0004"
 name = "Privilege Escalation"
 reference = "https://attack.mitre.org/tactics/TA0004/"
-