valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
104ee6c33b
SigmaHQ/rules/windows/builtin/win_rare_schtasks_creations.yml
Roberto Rodriguez f0b23af10d Update win_rare_schtasks_creations.yml 
Count(taskName) not being taken by elastalert integration with Sigmac
2018-12-05 05:10:08 +03:00

23 lines
899 B
YAML
Raw Blame History

title: Rare Schtasks Creations
description: Detects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code
status: experimental
author: Florian Roth
tags:
- attack.execution
- attack.privilege_escalation
- attack.persistence
- attack.t1053
logsource:
product: windows
service: security
definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection (not in the baseline recommendations by Microsoft). We also recommend extracting the Command field from the embedded XML in the event data.'
detection:
selection:
EventID: 4698
timeframe: 7d
condition: selection | count() by TaskName < 5
falsepositives:
- Software installation
- Software updates
level: low
Reference in New Issue View Git Blame Copy Permalink