Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms
Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers
Detects various execution patterns of the CrackMapExec pentesting framework
This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.
Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious
Detects remote RPC calls to create or execute a scheduled task via ATSvc
Detects remote RPC calls to create or execute a scheduled task
Detects remote RPC calls to create or execute a scheduled task via SASec
Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.
Detect Atexec.py (Impacket) usage to send command output to attacker.
Detects the creation of tasks from processes executed from suspicious locations
Detects Atexec.py (Impacket) suspicious registry key addition.
Detects Atexec.py (Impacket) suspicious file creation in Windows temp directory.
Detect Impacket atexec.py usage in Windows task scheduler logs. If detected, these events will appear to be logged simultaneously and will all contain the same eight-letter task name.
Modifications to a config that will serve an adversary's impacts or persistence
Detects schtasks being run as a child process of explorer.exe to create a schedule task.
Detects scheduled tasks created with the /create flag and a reference to commonly-abused Windows utilities. Inspired by the 2022 Red Canary Threat Detection report.
Detects creation of scheduled tasks which may establish persistence using the command shell. Inspired by the 2022 Red Canary Threat Detection report.
Detects scheduled tasks created to reach out to external domains and download arbitrary binaries on a set or recurring schedule. Inspired by the 2022 Red Canary Threat Detection report.