Remote Task Creation via ATSVC Named Pipe
Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
Sigma rule (View on GitHub)
1title: Remote Task Creation via ATSVC Named Pipe
2id: f6de6525-4509-495a-8a82-1f8b0ed73a00
3status: test
4description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
5references:
6 - https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html
7author: Samir Bousseaden
8date: 2019-04-03
9modified: 2024-08-01
10tags:
11 - attack.privilege-escalation
12 - attack.execution
13 - attack.lateral-movement
14 - attack.persistence
15 - car.2013-05-004
16 - car.2015-04-001
17 - attack.t1053.002
18logsource:
19 product: windows
20 service: security
21 definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
22detection:
23 selection:
24 EventID: 5145
25 ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
26 RelativeTargetName: atsvc
27 AccessList|contains: 'WriteData'
28 condition: selection
29falsepositives:
30 - Unknown
31level: medium
References
-
The Task Scheduler enables you to automatically perform routine tasks on a chosen computer. The Task Scheduler does this by monitoring wha...
Read More
Related rules
- Remote Task Creation via ATSVC Named Pipe - Zeek
- Remote Schedule Task Lateral Movement via ATSvc
- Remote Schedule Task Lateral Movement via ITaskSchedulerService
- Remote Schedule Task Lateral Movement via SASec
- CobaltStrike Service Installations - Security