OilRig APT Schedule Task Persistence - Security

Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report

Sigma rule (View on GitHub)

 1title: OilRig APT Schedule Task Persistence - Security
 2id: c0580559-a6bd-4ef6-b9b7-83703d98b561
 3related:
 4    - id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 # System
 5      type: similar
 6    - id: 7bdf2a7c-3acc-4091-9581-0a77dad1c5b5 # Registry
 7      type: similar
 8    - id: ce6e34ca-966d-41c9-8d93-5b06c8b97a06 # ProcessCreation
 9      type: similar
10status: test
11description: Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report
12references:
13    - https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf
14author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
15date: 2018-03-23
16modified: 2023-03-08
17tags:
18    - attack.persistence
19    - attack.g0049
20    - attack.t1053.005
21    - attack.s0111
22    - attack.t1543.003
23    - attack.defense-evasion
24    - attack.t1112
25    - attack.command-and-control
26    - attack.t1071.004
27    - detection.emerging-threats
28logsource:
29    product: windows
30    service: security
31detection:
32    selection_service:
33        EventID: 4698
34        TaskName:
35            - 'SC Scheduled Scan'
36            - 'UpdatMachine'
37    condition: selection_service
38falsepositives:
39    - Unlikely
40level: critical

References

Related rules

to-top