Suspicious Scheduled Task Creation Involving Temp Folder

 1title: Suspicious Scheduled Task Creation Involving Temp Folder
 2id: 39019a4e-317f-4ce3-ae63-309a8c6b53c5
 3status: test
 4description: Detects the creation of scheduled tasks that involves a temporary folder and runs only once
 5references:
 6    - https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3
 7author: Florian Roth (Nextron Systems)
 8date: 2021/03/11
 9modified: 2022/10/09
10tags:
11    - attack.execution
12    - attack.persistence
13    - attack.t1053.005
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        Image|endswith: '\schtasks.exe'
20        CommandLine|contains|all:
21            - ' /create '
22            - ' /sc once '
23            - '\Temp\'
24    condition: selection
25fields:
26    - CommandLine
27    - ParentCommandLine
28falsepositives:
29    - Administrative activity
30    - Software installation
31level: high

References

• Detection and Response for HAFNIUM Activity

  

  Update - Detection and Response for HAFNIUM Activity Executive summary Elastic Security Intelligence & Analytics has identified additional behaviors related to or inspired by HAFNIUM activity, as outlined in the prior post. This update contains additional post-exploitation details observed in Elastic telemetry indicating successful exploitation of recently-disclosed Microsoft Exchange vulnerabilities. While the details of this activity may resemble that attributed to the HAFNIUM threat group, we...

  
  Read More

Related rules

• Scheduled task executing powershell encoded payload from registry
• Windows Scheduled Task Behaving Improperly or Suspiciously
• Windows Scheduled Task Create Shell
• Windows Scheduled Task Making Suspicious Network Connection
• Scheduled task executing powershell encoded payload from registry