From 69fd6c285baa246efec8b162e000420ea972909d Mon Sep 17 00:00:00 2001
From: taylor_socfortress <111797488+taylorwalton@users.noreply.github.com>
Date: Tue, 11 Feb 2025 15:09:44 -0600
Subject: [PATCH] Update 900000-exclusion_rules.xml

---
 Exclusion Rules/900000-exclusion_rules.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Exclusion Rules/900000-exclusion_rules.xml b/Exclusion Rules/900000-exclusion_rules.xml
index 1c3731d..31058d2 100644
--- a/Exclusion Rules/900000-exclusion_rules.xml	
+++ b/Exclusion Rules/900000-exclusion_rules.xml	
@@ -629,10 +629,10 @@
     <description>Exceptions AD Sync.</description>
     <options>no_full_log</options>
   </rule>
-  <!-- Lower cleanmgr -->
+  <!-- Lower system things -->
   <rule id="900090" level="3">
     <if_sid>92213</if_sid>
-    <field name="win.eventdata.image" type="pcre2">(?i)^C:\\\\Windows\\\\system32\\\\cleanmgr\.exe$</field>
+    <field name="win.eventdata.image" type="pcre2">(?i)^C:\\\\Windows\\\\system32\\\\cleanmgr\.exe$|(?i)^C:\\\\Windows\\\\system32\\\\taskhostw\.exe$|(?i)^C:\\\\Windows\\\\System32\\\\sdiagnhost\.exe$</field>
     <description>Executable file dropped in folder commonly used by malware.</description>
     <options>no_full_log</options>
   </rule>