30 lines
872 B
YAML
30 lines
872 B
YAML
title: Suspicius Add Task From User AppData Temp
|
|
author: frack113
|
|
date: 2021/11/03
|
|
description: schtasks.exe create task from user AppData\Local\Temp
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 1
|
|
SELECTION_2:
|
|
Image: '*schtasks.exe'
|
|
SELECTION_3:
|
|
CommandLine: '*/Create *'
|
|
SELECTION_4:
|
|
CommandLine: '*\AppData\Local\Temp*'
|
|
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
|
|
falsepositives:
|
|
- unknown
|
|
id: 43f487f0-755f-4c2a-bce7-d6d2eec2fcf8
|
|
level: high
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
references:
|
|
- malware analyse https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04
|
|
tags:
|
|
- attack.execution
|
|
- attack.t1053.005
|
|
yml_filename: win_pc_susp_schtasks_user_temp.yml
|
|
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
|
|
|