SigmaHQ/rules/windows/process_creation/win_task_folder_evasion.yml

title: Tasks Folder Evasion
id: cc4e02ba-9c06-48e2-b09e-2500cace9ae0
status: experimental
description: The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr
references:
    - https://twitter.com/subTee/status/1216465628946563073
    - https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26
date: 2020/01/13
modified: 2020/08/29
author: Sreeman
tags:
    - attack.defense_evasion
    - attack.persistence
    - attack.execution
    - attack.t1574.002
    - attack.t1059  # an old one
    - attack.t1064  # an old one

logsource:
    product: Windows
detection:
    selection1:
        CommandLine|contains:
            - 'echo '
            - 'copy '
            - 'type '
            - 'file createnew'
    selection2:
        CommandLine|contains:
            - ' C:\Windows\System32\Tasks\'
            - ' C:\Windows\SysWow64\Tasks\'
    condition: selection1 and selection2
fields:
    - CommandLine
    - ParentProcess
falsepositives:
    - Unknown
level: high
fix: converted CRLF line break to LF 2020-03-25 13:36:34 +00:00			`title: Tasks Folder Evasion`
			`id: cc4e02ba-9c06-48e2-b09e-2500cace9ae0`
			`status: experimental`
Initial round of subtechnique updates 2020-06-16 20:46:08 +00:00			`description: The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr`
			`references:`
fix: converted CRLF line break to LF 2020-03-25 13:36:34 +00:00			`- https://twitter.com/subTee/status/1216465628946563073`
			`- https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26`
Fixed date typo - by the looks of the commit date the month/date were swapped. 2020-04-01 16:18:13 +00:00			`date: 2020/01/13`
att&ck tags review: windows/process_creation part 9 2020-08-29 16:22:09 +00:00			`modified: 2020/08/29`
fix: converted CRLF line break to LF 2020-03-25 13:36:34 +00:00			`author: Sreeman`
			`tags:`
			`- attack.defense_evasion`
			`- attack.persistence`
att&ck tags review: windows/process_creation part 9 2020-08-29 16:22:09 +00:00			`- attack.execution`
			`- attack.t1574.002`
			`- attack.t1059 # an old one`
			`- attack.t1064 # an old one`

fix: converted CRLF line break to LF 2020-03-25 13:36:34 +00:00			`logsource:`
			`product: Windows`
			`detection:`
			`selection1:`
			`CommandLine\|contains:`
			`- 'echo '`
			`- 'copy '`
			`- 'type '`
			`- 'file createnew'`
			`selection2:`
			`CommandLine\|contains:`
			`- ' C:\Windows\System32\Tasks\'`
			`- ' C:\Windows\SysWow64\Tasks\'`
			`condition: selection1 and selection2`
			`fields:`
			`- CommandLine`
			`- ParentProcess`
			`falsepositives:`
			`- Unknown`
			`level: high`