Tasks Folder Evasion
The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr
Sigma rule (View on GitHub)
1title: Tasks Folder Evasion
2id: cc4e02ba-9c06-48e2-b09e-2500cace9ae0
3status: test
4description: |
5 The Tasks folder in system32 and syswow64 are globally writable paths.
6 Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application
7 in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr
8references:
9 - https://twitter.com/subTee/status/1216465628946563073
10 - https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26
11author: Sreeman
12date: 2020-01-13
13modified: 2022-12-25
14tags:
15 - attack.defense-evasion
16 - attack.persistence
17 - attack.execution
18 - attack.t1574.002
19logsource:
20 product: windows
21 category: process_creation
22detection:
23 selection1:
24 CommandLine|contains:
25 - 'echo '
26 - 'copy '
27 - 'type '
28 - 'file createnew'
29 selection2:
30 CommandLine|contains:
31 - ' C:\Windows\System32\Tasks\'
32 - ' C:\Windows\SysWow64\Tasks\'
33 condition: all of selection*
34falsepositives:
35 - Unknown
36fields:
37 - CommandLine
38 - ParentProcess
39level: high
References
Related rules
- CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry
- Control Panel Items
- Creation Of Non-Existent System DLL
- DLL Search Order Hijackig Via Additional Space in Path
- DLL Sideloading Of ShellChromeAPI.DLL