Update persistence_suspicious_scheduled_task_runtime.toml

Samirbous · Samirbous · commit 333b7fed2034 · 2025-12-11T17:08:07.000Z
diff --git a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/11/19"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2025/08/26"
+updated_date = "2025/12/11"
 
 [rule]
 author = ["Elastic"]
@@ -102,17 +102,21 @@ process where host.os.type == "windows" and event.type == "start" and
        "C:\\Windows\\Debug\\*",
        "C:\\HP\\*") and
 
-    not (process.name : "cmd.exe" and process.args : "?:\\*.bat" and process.working_directory : "?:\\Windows\\System32\\") and
+    not (process.name : "cmd.exe" and process.args : ("*.bat", "*.cmd")) and
     not (process.name : "cscript.exe" and process.args : "?:\\Windows\\system32\\calluxxprovider.vbs") and
     not (
        process.name : "powershell.exe" and
        process.args : (
            "-File", "-PSConsoleFile",
            "C:\\ProgramData\\Microsoft\\AutopatchSetupScheduled\\SetupAutopatchClientV2Package.ps1",
-           "C:\\ProgramData\\Microsoft\\AutopatchSetupScheduled\\SetupAutopatchClientPackage.ps1"                
+           "C:\\ProgramData\\Microsoft\\AutopatchSetupScheduled\\SetupAutopatchClientPackage.ps1",
+           "C:\\Windows\\Temp\\MSS\\MDESetup\\Invoke-MDESetup.ps1"
        ) and user.id : "S-1-5-18"
     ) and
-    not (process.name : "msiexec.exe" and user.id : "S-1-5-18")
+    not (process.name : "msiexec.exe" and user.id : "S-1-5-18") and
+    not (process.name : "powershell.exe" and
+         process.command_line : ("C:\\ProgramData\\ElasticAgent-HealthCheck.ps1",
+                                 "C:\\ProgramData\\ssh\\puttysetup.ps1"))
 '''
 
 
