Diamond Sleet APT Scheduled Task Creation - Registry
Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability
Sigma rule (View on GitHub)
1title: Diamond Sleet APT Scheduled Task Creation - Registry
2id: 9f9f92ba-5300-43a4-b435-87d1ee571688
3status: test
4description: |
5 Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability
6references:
7 - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2023-10-24
10tags:
11 - attack.defense-evasion
12 - attack.t1562
13 - detection.emerging-threats
14logsource:
15 product: windows
16 category: registry_event
17detection:
18 selection:
19 TargetObject|contains|all:
20 - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\'
21 - 'Windows TeamCity Settings User Interface'
22 condition: selection
23falsepositives:
24 - Unknown
25level: high
References
-
Microsoft has observed North Korean threat actors Diamond Sleet and Onyx Sleet exploiting Jet Brains TeamCity CVE-2023-42793 vulnerability.
Read More
Related rules
- Diamond Sleet APT DLL Sideloading Indicators
- Injected Browser Process Spawning Rundll32 - GuLoader Activity
- Lazarus APT DLL Sideloading Activity
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity