[Rule Tuning] Persistence via TelemetryController Scheduled Task Hijack (#655)

* [Rule Tuning] Persistence via TelemetryController Scheduled Task Hijack

* ecs_version

rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml

@@ -25,8 +25,8 @@ type = "query"
 
 query = '''
 event.category:process and event.type:(start or process_started) and
-  process.parent.name:(CompatTelRunner.exe or compattelrunner.exe) and
-  not process.name:(conhost.exe or DeviceCensus.exe or devicecensus.exe or CompatTelRunner.exe or compattelrunner.exe or DismHost.exe or dismhost.exe or rundll32.exe)
+  process.parent.name:(CompatTelRunner.exe or compattelrunner.exe) and process.args:-cv* and
+  not process.name:(conhost.exe or DeviceCensus.exe or devicecensus.exe or CompatTelRunner.exe or compattelrunner.exe or DismHost.exe or dismhost.exe or rundll32.exe or powershell.exe)
 '''