Scheduled Task Executing Encoded Payload from Registry

 1title: Scheduled Task Executing Encoded Payload from Registry
 2id: c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78
 3status: test
 4description: Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell.
 5references:
 6    - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
 7author: pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport, X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 8date: 2022-02-12
 9modified: 2023-02-04
10tags:
11    - attack.execution
12    - attack.persistence
13    - attack.t1053.005
14    - attack.t1059.001
15logsource:
16    product: windows
17    category: process_creation
18detection:
19    selection_img:
20        # schtasks.exe /Create /F /TN "{97F2F70B-10D1-4447-A2F3-9B070C86E261}" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\SOFTWARE\Pvoeooxf).yzbbvhhdypa))) " /SC MINUTE /MO 30
21        - Image|endswith: '\schtasks.exe'
22        - OriginalFileName: 'schtasks.exe'
23    selection_cli_create:
24        CommandLine|contains: '/Create'
25    selection_cli_encoding:
26        CommandLine|contains:
27            - 'FromBase64String'
28            - 'encodedcommand'
29    selection_cli_get:
30        CommandLine|contains:
31            - 'Get-ItemProperty'
32            - ' gp ' # Alias
33    selection_cli_hive:
34        CommandLine|contains:
35            - 'HKCU:'
36            - 'HKLM:'
37            - 'registry::'
38            - 'HKEY_'
39    condition: all of selection_*
40falsepositives:
41    - Unlikely
42level: high