mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 09:48:58 +00:00
27 lines
1023 B
YAML
27 lines
1023 B
YAML
title: Rare Schtasks Creations
|
|
id: b0d77106-7bb0-41fe-bd94-d1752164d066
|
|
description: Detects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code
|
|
status: experimental
|
|
author: Florian Roth
|
|
date: 2017/03/23
|
|
tags:
|
|
- attack.execution
|
|
- attack.privilege_escalation
|
|
- attack.persistence
|
|
- attack.t1053 # an old one
|
|
- car.2013-08-001
|
|
- attack.t1053.005
|
|
logsource:
|
|
product: windows
|
|
service: security
|
|
definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection (not in the baseline recommendations by Microsoft). We also recommend extracting the Command field from the embedded XML in the event data.'
|
|
detection:
|
|
selection:
|
|
EventID: 4698
|
|
timeframe: 7d
|
|
condition: selection | count() by TaskName < 5
|
|
falsepositives:
|
|
- Software installation
|
|
- Software updates
|
|
level: low
|