Suspicious Scheduled Task Name As GUID
Detects creation of a scheduled task with a GUID like name
Sigma rule (View on GitHub)
1title: Suspicious Scheduled Task Name As GUID
2id: ff2fff64-4cd6-4a2b-ba7d-e28a30bbe66b
3status: test
4description: Detects creation of a scheduled task with a GUID like name
5references:
6 - https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/
7 - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2022-10-31
10tags:
11 - attack.execution
12 - attack.t1053.005
13logsource:
14 product: windows
15 category: process_creation
16detection:
17 selection_img:
18 Image|endswith: '\schtasks.exe'
19 CommandLine|contains: '/Create '
20 selection_tn:
21 CommandLine|contains:
22 # Can start with single or double quote
23 - '/TN "{'
24 - "/TN '{"
25 - "/TN {"
26 selection_end:
27 CommandLine|contains:
28 # Ending of the name to avoid possible FP in the rest of the commandline
29 - '}"'
30 - "}'"
31 - '} '
32 condition: all of selection_*
33falsepositives:
34 - Legitimate software naming their tasks as GUIDs
35level: medium
References
-
In early June 2022, we observed an intrusion where a threat actor gained initial access by exploiting the CVE-2022-30190 (Follina) vulnerability which triggered a Qbot infection chain. Qbot, also k…
Read More -
In this intrusion (from November 2021), a threat actor gained its initial foothold in the environment through the use of Qbot (a.k.a. Quakbot/Qakbot) malware. Soon after execution of the Qbot paylo…
Read More
Related rules
- HackTool - Default PowerSploit/Empire Scheduled Task Creation
- Important Scheduled Task Deleted/Disabled
- Kapeka Backdoor Scheduled Task Creation
- Operation Wocao Activity
- Operation Wocao Activity - Security