Remote Task Creation via ATSVC Named Pipe

Detects remote task creation via at.exe or API interacting with ATSVC namedpipe

Sigma rule (View on GitHub)

 1title: Remote Task Creation via ATSVC Named Pipe
 2id: f6de6525-4509-495a-8a82-1f8b0ed73a00
 3status: test
 4description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
 5references:
 6    - https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html
 7author: Samir Bousseaden
 8date: 2019/04/03
 9modified: 2022/08/11
10tags:
11    - attack.lateral_movement
12    - attack.persistence
13    - car.2013-05-004
14    - car.2015-04-001
15    - attack.t1053.002
16logsource:
17    product: windows
18    service: security
19    definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
20detection:
21    selection:
22        EventID: 5145
23        ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
24        RelativeTargetName: atsvc
25        Accesses|contains: 'WriteData'
26    condition: selection
27falsepositives:
28    - Unknown
29level: medium

References

Related rules

to-top