From 8f56b7de5ea08aac6ecb53d1823ca050ee887fc0 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Tue, 15 Oct 2024 14:06:35 +0100
Subject: [PATCH] Update privilege_escalation_gpo_schtask_service_creation.toml
 (#4152)

---
 .../privilege_escalation_gpo_schtask_service_creation.toml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml b/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml
index cb729dc75..6b5b7bb7e 100644
--- a/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml
+++ b/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/08/13"
 integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2024/10/10"
+updated_date = "2024/10/14"
 min_stack_version = "8.13.0"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 
@@ -37,12 +37,13 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-file where host.os.type == "windows" and event.type != "deletion" and file.name : "ScheduledTasks.xml" and
+file where host.os.type == "windows" and event.type != "deletion" and event.action != "open" and 
+ file.name : ("ScheduledTasks.xml", "Services.xml") and 
   file.path : (
     "?:\\Windows\\SYSVOL\\domain\\Policies\\*\\MACHINE\\Preferences\\ScheduledTasks\\ScheduledTasks.xml",
     "?:\\Windows\\SYSVOL\\domain\\Policies\\*\\MACHINE\\Preferences\\Services\\Services.xml"
   ) and
-  not process.name : "dfsrs.exe"
+  not process.executable : "C:\\Windows\\System32\\dfsrs.exe"
 '''