Scheduled Task Executing Payload from Registry

 1title: Scheduled Task Executing Payload from Registry
 2id: 86588b36-c6d3-465f-9cee-8f9093e07798
 3related:
 4    - id: c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78
 5      type: derived
 6status: test
 7description: Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell.
 8references:
 9    - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
10author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
11date: 2023-07-18
12tags:
13    - attack.privilege-escalation
14    - attack.execution
15    - attack.persistence
16    - attack.t1053.005
17    - attack.t1059.001
18logsource:
19    product: windows
20    category: process_creation
21detection:
22    selection_img:
23        # schtasks.exe /Create /F /TN "{97F2F70B-10D1-4447-A2F3-9B070C86E261}" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\SOFTWARE\Pvoeooxf).yzbbvhhdypa))) " /SC MINUTE /MO 30
24        - Image|endswith: '\schtasks.exe'
25        - OriginalFileName: 'schtasks.exe'
26    selection_cli_create:
27        CommandLine|contains: '/Create'
28    selection_cli_get:
29        CommandLine|contains:
30            - 'Get-ItemProperty'
31            - ' gp ' # Alias
32    selection_cli_hive:
33        CommandLine|contains:
34            - 'HKCU:'
35            - 'HKLM:'
36            - 'registry::'
37            - 'HKEY_'
38    filter_main_encoding:
39        CommandLine|contains:
40            - 'FromBase64String'
41            - 'encodedcommand'
42    condition: all of selection_* and not 1 of filter_*
43falsepositives:
44    - Unknown
45level: medium