Tasks Folder Evasion
The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr
Sigma rule (View on GitHub)
1title: Tasks Folder Evasion
2id: cc4e02ba-9c06-48e2-b09e-2500cace9ae0
3status: test
4description: |
5 The Tasks folder in system32 and syswow64 are globally writable paths.
6 Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application
7 in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr
8references:
9 - https://twitter.com/subTee/status/1216465628946563073
10 - https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26
11author: Sreeman
12date: 2020/01/13
13modified: 2022/12/25
14tags:
15 - attack.defense_evasion
16 - attack.persistence
17 - attack.execution
18 - attack.t1574.002
19logsource:
20 product: windows
21 category: process_creation
22detection:
23 selection1:
24 CommandLine|contains:
25 - 'echo '
26 - 'copy '
27 - 'type '
28 - 'file createnew'
29 selection2:
30 CommandLine|contains:
31 - ' C:\Windows\System32\Tasks\'
32 - ' C:\Windows\SysWow64\Tasks\'
33 condition: all of selection*
34falsepositives:
35 - Unknown
36fields:
37 - CommandLine
38 - ParentProcess
39level: high
References
Related rules
- Third Party Software DLL Sideloading
- DLL Search Order Hijackig Via Additional Space in Path
- DLL Sideloading Of ShellChromeAPI.DLL
- Malicious DLL File Dropped in the Teams or OneDrive Folder
- Potential DLL Sideloading Via ClassicExplorer32.dll