Diamond Sleet APT Scheduled Task Creation - Registry
Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability
Sigma rule (View on GitHub)
1title: Diamond Sleet APT Scheduled Task Creation - Registry
2id: 9f9f92ba-5300-43a4-b435-87d1ee571688
3status: experimental
4description: |
5 Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability
6references:
7 - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2023/10/24
10tags:
11 - attack.defense_evasion
12 - attack.t1562
13 - detection.emerging_threats
14logsource:
15 product: windows
16 category: registry_event
17detection:
18 selection:
19 TargetObject|contains|all:
20 - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\'
21 - 'Windows TeamCity Settings User Interface'
22 condition: selection
23falsepositives:
24 - Unknown
25level: high
References
Related rules
- Diamond Sleet APT DLL Sideloading Indicators
- Potential CVE-2023-36884 Exploitation Dropped File
- Equation Group DLL_U Export Function Load
- Potential Baby Shark Malware Activity
- Potential Emotet Rundll32 Execution