32 lines
970 B
YAML
32 lines
970 B
YAML
title: Rare Schtasks Creations
|
|
author: Florian Roth
|
|
date: 2017/03/23
|
|
description: Detects rare scheduled tasks creations that only appear a few times per
|
|
time frame and could reveal password dumpers, backdoor installs or other types of
|
|
malicious code
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 4698
|
|
condition: SELECTION_1 | count() by TaskName < 5
|
|
falsepositives:
|
|
- Software installation
|
|
- Software updates
|
|
id: b0d77106-7bb0-41fe-bd94-d1752164d066
|
|
level: low
|
|
logsource:
|
|
definition: The Advanced Audit Policy setting Object Access > Audit Other Object
|
|
Access Events has to be configured to allow this detection (not in the baseline
|
|
recommendations by Microsoft). We also recommend extracting the Command field
|
|
from the embedded XML in the event data.
|
|
product: windows
|
|
service: security
|
|
status: experimental
|
|
tags:
|
|
- attack.execution
|
|
- attack.privilege_escalation
|
|
- attack.persistence
|
|
- attack.t1053
|
|
- car.2013-08-001
|
|
- attack.t1053.005
|
|
ruletype: SIGMA
|