Scheduled task executing powershell encoded payload from registry
Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell.
Sigma rule (View on GitHub)
1title: Scheduled task executing powershell encoded payload from registry
2status: Experimental
3description: Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell.
4author: '@Kostastsale, @TheDFIRReport'
5references:
6 - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
7date: 2022/02/12
8logsource:
9 product: windows
10 category: process_creation
11detection:
12 selection1:
13 Image|endswith: '\schtasks.exe'
14 CommandLine|contains|all:
15 - '/Create'
16 - '/SC'
17 selection2:
18 CommandLine|contains|all:
19 - 'FromBase64String'
20 - 'powershell'
21 - 'Get-ItemProperty'
22 - 'HKCU:'
23 condition: selection1 and selection2
24falsepositives:
25 - Uknown
26level: high
27tags:
28 - attack.execution
29 - attack.persistence
30 - attack.t1053.005
31 - attack.t1059.001
References
-
In this intrusion (from November 2021), a threat actor gained its initial foothold in the environment through the use of QBot (a.k.a. Quakbot/Qakbot) malware.
Read More
Related rules
- ChromeLoader Malware Detection
- ms-msdt for RCE CVE-2022-30190
- ms-msdt for RCE - sdiagnhost.exe spawning command
- Using powershell specific download cradle OneLiner
- Raspberry Robin initial execution from external drive