Tasks Folder Evasion
The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr
Sigma rule (View on GitHub)
1title: Tasks Folder Evasion
2id: cc4e02ba-9c06-48e2-b09e-2500cace9ae0
3status: test
4description: |
5 The Tasks folder in system32 and syswow64 are globally writable paths.
6 Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application
7 in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr
8references:
9 - https://twitter.com/subTee/status/1216465628946563073
10 - https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26
11author: Sreeman
12date: 2020-01-13
13modified: 2022-12-25
14tags:
15 - attack.privilege-escalation
16 - attack.defense-evasion
17 - attack.persistence
18 - attack.execution
19 - attack.t1574.001
20logsource:
21 product: windows
22 category: process_creation
23detection:
24 selection1:
25 CommandLine|contains:
26 - 'echo '
27 - 'copy '
28 - 'type '
29 - 'file createnew'
30 selection2:
31 CommandLine|contains:
32 - ' C:\Windows\System32\Tasks\'
33 - ' C:\Windows\SysWow64\Tasks\'
34 condition: all of selection*
35falsepositives:
36 - Unknown
37fields:
38 - CommandLine
39 - ParentProcess
40level: high
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- Potentially Suspicious Child Process of KeyScrambler.exe
- APT27 - Emissary Panda Activity
- AWS IAM S3Browser LoginProfile Creation
- AWS IAM S3Browser Templated S3 Bucket Policy Creation
- AWS IAM S3Browser User or AccessKey Creation