HackTool - Default PowerSploit/Empire Scheduled Task Creation

calendar Aug 12, 2024 · attack.execution attack.persistence attack.privilege-escalation attack.s0111 attack.g0022 attack.g0060 car.2013-08-001 attack.t1053.005 attack.t1059.001  ·
Share on: linkedin copy

Detects the creation of a schtask via PowerSploit or Empire Default Configuration.

Sigma rule (View on GitHub)

 1title: HackTool - Default PowerSploit/Empire Scheduled Task Creation
 2id: 56c217c3-2de2-479b-990f-5c109ba8458f
 3status: test
 4description: Detects the creation of a schtask via PowerSploit or Empire Default Configuration.
 5references:
 6    - https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1
 7    - https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py
 8author: Markus Neis, @Karneades
 9date: 2018-03-06
10modified: 2023-03-03
11tags:
12    - attack.execution
13    - attack.persistence
14    - attack.privilege-escalation
15    - attack.s0111
16    - attack.g0022
17    - attack.g0060
18    - car.2013-08-001
19    - attack.t1053.005
20    - attack.t1059.001
21logsource:
22    product: windows
23    category: process_creation
24detection:
25    selection:
26        ParentImage|endswith:
27            - '\powershell.exe'
28            - '\pwsh.exe'
29        Image|endswith: '\schtasks.exe'
30        CommandLine|contains|all:
31            - '/Create'
32            - 'powershell.exe -NonI'
33            - '/TN Updater /TR'
34        CommandLine|contains:
35            - '/SC ONLOGON'
36            - '/SC DAILY /ST'
37            - '/SC ONIDLE'
38            - '/SC HOURLY'
39    condition: selection
40falsepositives:
41    - Unlikely
42level: high

References

Related rules

to-top