attack.t1053 | Detection.FYI

HackTool - SharPersist Execution

Dec 1, 2023 · attack.persistence attack.t1053 ·
Share on:

Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms

Read More
HAFNIUM Exchange Exploitation Activity

Nov 28, 2023 · attack.persistence attack.t1546 attack.t1053 attack.g0125 detection.emerging_threats ·
Share on:

Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers

Read More
HackTool - CrackMapExec Execution Patterns

Nov 6, 2023 · attack.execution attack.t1047 attack.t1053 attack.t1059.003 attack.t1059.001 attack.s0106 ·
Share on:

Detects various execution patterns of the CrackMapExec pentesting framework

Read More
HackTool - CrackMapExec Execution

Aug 28, 2023 · attack.execution attack.persistence attack.privilege_escalation attack.credential_access attack.discovery attack.t1047 attack.t1053 attack.t1059.003 attack.t1059.001 attack.t1110 attack.t1201 ·
Share on:

This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.

Read More
Scheduled TaskCache Change by Uncommon Program

Aug 17, 2023 · attack.persistence attack.t1053 attack.t1053.005 ·
Share on:

Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious

Read More
Remote Schedule Task Lateral Movement via ATSvc

Jun 22, 2023 · attack.lateral_movement attack.t1053 attack.t1053.002 ·
Share on:

Detects remote RPC calls to create or execute a scheduled task via ATSvc

Read More
Remote Schedule Task Lateral Movement via ITaskSchedulerService

Jun 22, 2023 · attack.lateral_movement attack.t1053 attack.t1053.002 ·
Share on:

Detects remote RPC calls to create or execute a scheduled task

Read More
Remote Schedule Task Lateral Movement via SASec

Jun 22, 2023 · attack.lateral_movement attack.t1053 attack.t1053.002 ·
Share on:

Detects remote RPC calls to create or execute a scheduled task via SASec

Read More
Defrag Deactivation - Security

Jun 20, 2023 · attack.persistence attack.t1053 attack.s0111 detection.emerging_threats ·
Share on:

Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group

Read More
Potential ACTINIUM Persistence Activity

Jun 20, 2023 · attack.persistence attack.t1053 attack.t1053.005 detection.emerging_threats ·
Share on:

Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.

Read More
Impacket AtExec Process Activity

Apr 16, 2023 · attack.s0357 attack.execution attack.t1053 attack.t1053.002 ·
Share on:

Detect Atexec.py (Impacket) usage to send command output to attacker.

Read More
Suspicious Scheduled Task Write to System32 Tasks

Feb 1, 2023 · attack.persistence attack.execution attack.t1053 ·
Share on:

Detects the creation of tasks from processes executed from suspicious locations

Read More
Impacket AtExec Suspicious Registry Modification

Jan 30, 2023 · attack.s0357 attack.execution attack.t1053 attack.t1053.002 ·
Share on:

Detects Atexec.py (Impacket) suspicious registry key addition.

Read More
Impacket AtExec Suspicious Temp File Creation

Jan 30, 2023 · attack.s0357 attack.execution attack.t1053 attack.t1053.002 ·
Share on:

Detects Atexec.py (Impacket) suspicious file creation in Windows temp directory.

Read More
Possible Impacket AtExec Activity

Jan 30, 2023 · attack.s0357 attack.execution attack.t1053 attack.t1053.002 ·
Share on:

Detect Impacket atexec.py usage in Windows task scheduler logs. If detected, these events will appear to be logged simultaneously and will all contain the same eight-letter task name.

Read More
Cisco Modify Configuration

Jan 4, 2023 · attack.persistence attack.impact attack.t1490 attack.t1505 attack.t1565.002 attack.t1053 ·
Share on:

Modifications to a config that will serve an adversary's impacts or persistence

Read More
Suspicious Schtasks Child Process

Nov 19, 2022 · attack.persistence attack.t1053 attack.t1053.005 ·
Share on:

Detects schtasks being run as a child process of explorer.exe to create a schedule task.

Read More
Windows Scheduled Task Behaving Improperly or Suspiciously

Nov 9, 2022 · attack.persistence attack.execution attack.t1053 attack.t1053.005 ·
Share on:

Detects scheduled tasks created with the /create flag and a reference to commonly-abused Windows utilities. Inspired by the 2022 Red Canary Threat Detection report.

Read More
Windows Scheduled Task Create Shell

Nov 9, 2022 · attack.persistence attack.execution attack.t1053 attack.t1053.005 ·
Share on:

Detects creation of scheduled tasks which may establish persistence using the command shell. Inspired by the 2022 Red Canary Threat Detection report.

Read More
Windows Scheduled Task Making Suspicious Network Connection

Nov 9, 2022 · attack.persistence attack.execution attack.t1053 attack.t1053.005 ·
Share on:

Detects scheduled tasks created to reach out to external domains and download arbitrary binaries on a set or recurring schedule. Inspired by the 2022 Red Canary Threat Detection report.

Read More