Uncommon One Time Only Scheduled Task At 00:00
Detects scheduled task creation events that include suspicious actions, and is run once at 00:00
Sigma rule (View on GitHub)
1title: Uncommon One Time Only Scheduled Task At 00:00
2id: 970823b7-273b-460a-8afc-3a6811998529
3status: test
4description: Detects scheduled task creation events that include suspicious actions, and is run once at 00:00
5references:
6 - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte
7author: pH-T (Nextron Systems)
8date: 2022-07-15
9modified: 2023-02-03
10tags:
11 - attack.execution
12 - attack.persistence
13 - attack.privilege-escalation
14 - attack.t1053.005
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_img:
20 - Image|contains: '\schtasks.exe'
21 - OriginalFileName: 'schtasks.exe'
22 selection_cli:
23 CommandLine|contains:
24 - 'wscript'
25 - 'vbscript'
26 - 'cscript'
27 - 'wmic '
28 - 'wmic.exe'
29 - 'regsvr32.exe'
30 - 'powershell'
31 - '\AppData\'
32 selection_time:
33 CommandLine|contains|all:
34 - 'once'
35 - '00:00'
36 condition: all of selection_*
37falsepositives:
38 - Software installation
39level: high
References
-
BlackByte is a ransomware group that has been building a name for itself since 2021. Like its contemporaries, it has gone after critical infrastructure for a higher chance of getting a payout. What techniques sets it apart?
Read More
Related rules
- HackTool - Default PowerSploit/Empire Scheduled Task Creation
- Important Scheduled Task Deleted/Disabled
- Kapeka Backdoor Scheduled Task Creation
- Scheduled Task Creation Via Schtasks.EXE
- Suspicious Scheduled Task Creation