Potential ACTINIUM Persistence Activity

Oct 23, 2025 · attack.privilege-escalation attack.execution attack.persistence attack.t1053 attack.t1053.005 detection.emerging-threats ·

Share on:

Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.

Sigma rule (View on GitHub)

 1title: Potential ACTINIUM Persistence Activity
 2id: e1118a8f-82f5-44b3-bb6b-8a284e5df602
 3status: test
 4description: Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.
 5references:
 6    - https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations
 7author: Andreas Hunkeler (@Karneades)
 8date: 2022-02-07
 9modified: 2023-03-18
10tags:
11    - attack.privilege-escalation
12    - attack.execution
13    - attack.persistence
14    - attack.t1053
15    - attack.t1053.005
16    - detection.emerging-threats
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection:
22        CommandLine|contains|all:
23            - 'schtasks'
24            - 'create'
25            - 'wscript'
26            - ' /e:vbscript'
27    condition: selection
28falsepositives:
29    - Unlikely
30level: high

References

https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations

Read More

Potential ACTINIUM Persistence Activity

Sigma rule (View on GitHub)

References

https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations

Related rules