Tasks Folder Evasion
The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr
Sigma rule (View on GitHub)
1title: Tasks Folder Evasion
2id: cc4e02ba-9c06-48e2-b09e-2500cace9ae0
3status: test
4description: |
5 The Tasks folder in system32 and syswow64 are globally writable paths.
6 Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application
7 in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr
8references:
9 - https://twitter.com/subTee/status/1216465628946563073
10 - https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26
11author: Sreeman
12date: 2020-01-13
13modified: 2022-12-25
14tags:
15 - attack.privilege-escalation
16 - attack.persistence
17 - attack.execution
18 - attack.stealth
19 - attack.t1574.001
20logsource:
21 product: windows
22 category: process_creation
23detection:
24 selection1:
25 CommandLine|contains:
26 - 'echo '
27 - 'copy '
28 - 'type '
29 - 'file createnew'
30 selection2:
31 CommandLine|contains:
32 - ' C:\Windows\System32\Tasks\'
33 - ' C:\Windows\SysWow64\Tasks\'
34 condition: all of selection*
35falsepositives:
36 - Unknown
37level: high
References
Related rules
- APT27 - Emissary Panda Activity
- Aruba Network Service Potential DLL Sideloading
- Creation Of Non-Existent System DLL
- Creation of WerFault.exe/Wer.dll in Unusual Folder
- DHCP Callout DLL Installation