diff --git a/rules/apt/apt_chafer_mar18.yml b/rules/apt/apt_chafer_mar18.yml
index 1ca41150a58..b32cc410453 100755
--- a/rules/apt/apt_chafer_mar18.yml
+++ b/rules/apt/apt_chafer_mar18.yml
@@ -5,8 +5,14 @@ description: Detects Chafer activity attributed to OilRig as reported in Nyotron
 references:
     - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
 tags:
+    - attack.persistence
     - attack.g0049
+    - attack.t1053
+    - attack.s0111
+    - attack.defense_evasion
+    - attack.t1112
 date: 2018/03/23
+modified: 2019/03/01
 author: Florian Roth, Markus Neis
 detection:
     condition: 1 of them
@@ -24,6 +30,16 @@ detection:
             - 'SC Scheduled Scan'
             - 'UpdatMachine'
 ---
+logsource:
+    product: windows
+    service: security
+detection:
+    selection_service:
+        EventID: 4698
+        TaskName:
+            - 'SC Scheduled Scan'
+            - 'UpdatMachine'
+---
 logsource:
    product: windows
    service: sysmon