Scheduled task executing powershell encoded payload from registry
Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell.
Sigma rule (View on GitHub)
1title: Scheduled task executing powershell encoded payload from registry
2id: 7cd354a2-92f2-4c39-85b5-6b5096366d4e
3status: Experimental
4description: Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell.
5author: '@Kostastsale, @TheDFIRReport'
6references:
7 - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
8date: 2022/02/12
9logsource:
10 product: windows
11 category: process_creation
12detection:
13 selection1:
14 Image|endswith: '\schtasks.exe'
15 CommandLine|contains|all:
16 - '/Create'
17 - '/SC'
18 selection2:
19 CommandLine|contains|all:
20 - 'FromBase64String'
21 - 'powershell'
22 - 'Get-ItemProperty'
23 - 'HKCU:'
24 condition: selection1 and selection2
25falsepositives:
26 - Uknown
27level: high
28tags:
29 - attack.execution
30 - attack.persistence
31 - attack.t1053.005
32 - attack.t1059.001
References
-
In this intrusion (from November 2021), a threat actor gained its initial foothold in the environment through the use of Qbot (a.k.a. Quakbot/Qakbot) malware. Soon after execution of the Qbot paylo…
Read More
Related rules
- Scheduled task executing powershell encoded payload from registry
- Windows Scheduled Task Behaving Improperly or Suspiciously
- Windows Scheduled Task Create Shell
- Windows Scheduled Task Making Suspicious Network Connection
- ChromeLoader Malware Detection