Diamond Sleet APT Scheduled Task Creation - Registry

Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability

Sigma rule (View on GitHub)

 1title: Diamond Sleet APT Scheduled Task Creation - Registry
 2id: 9f9f92ba-5300-43a4-b435-87d1ee571688
 3status: test
 4description: |
 5        Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability
 6references:
 7    - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2023-10-24
10tags:
11    - attack.defense-evasion
12    - attack.t1562
13    - detection.emerging-threats
14logsource:
15    product: windows
16    category: registry_event
17detection:
18    selection:
19        TargetObject|contains|all:
20            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\'
21            - 'Windows TeamCity Settings User Interface'
22    condition: selection
23falsepositives:
24    - Unknown
25level: high

References

Related rules

to-top