Remote Task Creation via ATSVC Named Pipe
Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
Sigma rule (View on GitHub)
1title: Remote Task Creation via ATSVC Named Pipe
2id: f6de6525-4509-495a-8a82-1f8b0ed73a00
3status: test
4description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
5references:
6 - https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html
7author: Samir Bousseaden
8date: 2019-04-03
9modified: 2024-08-01
10tags:
11 - attack.lateral-movement
12 - attack.persistence
13 - car.2013-05-004
14 - car.2015-04-001
15 - attack.t1053.002
16logsource:
17 product: windows
18 service: security
19 definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
20detection:
21 selection:
22 EventID: 5145
23 ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
24 RelativeTargetName: atsvc
25 AccessList|contains: 'WriteData'
26 condition: selection
27falsepositives:
28 - Unknown
29level: medium
References
-
The Task Scheduler enables you to automatically perform routine tasks on a chosen computer. The Task Scheduler does this by monitoring wha...
Read More
Related rules
- Remote Task Creation via ATSVC Named Pipe - Zeek
- OpenCanary - SSH Login Attempt
- OpenCanary - SSH New Connection Attempt
- PSEXEC Remote Execution File Artefact
- Password Provided In Command Line Of Net.EXE