Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler

calendar Jan 30, 2025 · attack.persistence detection.emerging-threats  ·
Share on: linkedin copy

Hunts for known SVR-specific scheduled task names

Sigma rule (View on GitHub)

 1title: Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler
 2id: 2bfc1373-0220-4fbd-8b10-33ddafd2a142
 3related:
 4    - id: 8fa65166-f463-4fd2-ad4f-1436133c52e1 # Security-Audting Eventlog
 5      type: similar
 6status: test
 7description: Hunts for known SVR-specific scheduled task names
 8author: CISA
 9references:
10    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
11date: 2023-12-18
12tags:
13    - attack.persistence
14    - detection.emerging-threats
15logsource:
16    product: windows
17    service: taskscheduler
18    definition: 'Requirements: The "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and needs to be enabled in order for this detection to trigger'
19detection:
20    selection:
21        EventID:
22            - 129 # Task Created
23            - 140 # Task Updated
24            - 141 # Task Deleted
25        TaskName:
26            - '\defender'
27            - '\Microsoft\DefenderService'
28            - '\Microsoft\Windows\Application Experience\StartupAppTaskCheck'
29            - '\Microsoft\Windows\Application Experience\StartupAppTaskCkeck'
30            - '\Microsoft\Windows\ATPUpd'
31            - '\Microsoft\Windows\Data Integrity Scan\Data Integrity Update'
32            - '\Microsoft\Windows\DefenderUPDService'
33            - '\Microsoft\Windows\IISUpdateService'
34            - '\Microsoft\Windows\Speech\SpeechModelInstallTask'
35            - '\Microsoft\Windows\WiMSDFS'
36            - '\Microsoft\Windows\Windows Defender\Defender Update Service'
37            - '\Microsoft\Windows\Windows Defender\Service Update'
38            - '\Microsoft\Windows\Windows Error Reporting\CheckReporting'
39            - '\Microsoft\Windows\Windows Error Reporting\SubmitReporting'
40            - '\Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStart'
41            - '\Microsoft\Windows\WindowsDefenderService'
42            - '\Microsoft\Windows\WindowsDefenderService2'
43            - '\Microsoft\Windows\WindowsUpdate\Scheduled AutoCheck'
44            - '\Microsoft\Windows\WindowsUpdate\Scheduled Check'
45            - '\WindowUpdate'
46    condition: selection
47falsepositives:
48    - Unknown
49level: high

References

Related rules

to-top