-
Notifications
You must be signed in to change notification settings - Fork 3
/
win_susp_schtasks_execution.yml
40 lines (36 loc) · 1.42 KB
/
win_susp_schtasks_execution.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
title: Suspicious process from schedule task
status: experimental
description: Detects the execution of suspicious process from schedule task
references:
- https://labs.f-secure.com/publications/ti-report-lazarus-group-cryptocurrency-vertical
- https://labs.f-secure.com/blog/catching-lazarus-threat-intelligence-to-real-detection-logic-part-two
author: F-Secure Countercept
date: 2020/09/25
level: high
logsource:
category: process_creation
product: windows
detection:
selection1:
ParentImage: '*\svchost.exe'
CommandLine|contains:
- '-k netsvcs -s Schedule' #newer version windows like Windows 10, Server 2016
- '-k netsvcs -p -s Schedule' #newer version windows like Windows 10, Server 2016
selection2:
ParentImage: '*\taskeng.exe' #older version windows like Windows 7, Server 2012
selection3:
Image:
- 'cmd.exe'
- 'powershell.exe'
- 'reg.exe'
- 'wscript.exe'
- 'cscript.exe'
- 'mshta.exe'
- 'python.exe'
selection4: #put false positive here
CommandLine|contains:
- 'hklm\SOFTWARE\Lenovo\SystemUpdatePlugin\scheduler'
condition: (selection1 OR selection2) AND selection3 AND NOT selection4
falsepositives:
- administrative scripts that run regularly in the environment by schedule task. identify and exclude them in selection4.
- reg.exe seen on Lenovo SystemUpdatePlugin