Scheduled Task Executing Payload from Registry

 1title: Scheduled Task Executing Payload from Registry
 2id: 86588b36-c6d3-465f-9cee-8f9093e07798
 3related:
 4    - id: c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78
 5      type: derived
 6status: test
 7description: Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell.
 8references:
 9    - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
10author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
11date: 2023-07-18
12tags:
13    - attack.execution
14    - attack.persistence
15    - attack.t1053.005
16    - attack.t1059.001
17logsource:
18    product: windows
19    category: process_creation
20detection:
21    selection_img:
22        # schtasks.exe /Create /F /TN "{97F2F70B-10D1-4447-A2F3-9B070C86E261}" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\SOFTWARE\Pvoeooxf).yzbbvhhdypa))) " /SC MINUTE /MO 30
23        - Image|endswith: '\schtasks.exe'
24        - OriginalFileName: 'schtasks.exe'
25    selection_cli_create:
26        CommandLine|contains: '/Create'
27    selection_cli_get:
28        CommandLine|contains:
29            - 'Get-ItemProperty'
30            - ' gp ' # Alias
31    selection_cli_hive:
32        CommandLine|contains:
33            - 'HKCU:'
34            - 'HKLM:'
35            - 'registry::'
36            - 'HKEY_'
37    filter_main_encoding:
38        CommandLine|contains:
39            - 'FromBase64String'
40            - 'encodedcommand'
41    condition: all of selection_* and not 1 of filter_*
42falsepositives:
43    - Unknown
44level: medium