From 41dd58b151e9054c83889d2a7b1357c6e515292f Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Thu, 3 Dec 2020 22:59:46 +0100
Subject: [PATCH] [Rule Tuning] Persistence via TelemetryController Scheduled
 Task Hijack (#655)

* [Rule Tuning] Persistence via TelemetryController Scheduled Task Hijack

* ecs_version
---
 ...sistence_via_telemetrycontroller_scheduledtask_hijack.toml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml
index a9599d230..ecfdc511e 100644
--- a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml
+++ b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml
@@ -25,8 +25,8 @@ type = "query"
 
 query = '''
 event.category:process and event.type:(start or process_started) and
-  process.parent.name:(CompatTelRunner.exe or compattelrunner.exe) and
-  not process.name:(conhost.exe or DeviceCensus.exe or devicecensus.exe or CompatTelRunner.exe or compattelrunner.exe or DismHost.exe or dismhost.exe or rundll32.exe)
+  process.parent.name:(CompatTelRunner.exe or compattelrunner.exe) and process.args:-cv* and
+  not process.name:(conhost.exe or DeviceCensus.exe or devicecensus.exe or CompatTelRunner.exe or compattelrunner.exe or DismHost.exe or dismhost.exe or rundll32.exe or powershell.exe)
 '''