From 535e6ce0cc9c101fdf60977850801e42b6a9e0a8 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Wed, 23 Mar 2022 09:09:43 +0100
Subject: [PATCH] refactor: scheduled task patterns

---
 ...roc_creation_win_susp_schtasks_pattern.yml | 21 ++++++++++++-------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_pattern.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_pattern.yml
index 8ad86deff..47c64e5af 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_schtasks_pattern.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_pattern.yml
@@ -6,9 +6,10 @@ references:
    - https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/
 tags:
    - attack.execution
-   - attack.t1053.005 
+   - attack.t1053.005
 author: Florian Roth
 date: 2022/02/23
+modified: 2022/03/23
 logsource:
    product: windows
    category: process_creation
@@ -16,22 +17,26 @@ detection:
    selection_schtasks:
       Image|endswith: 'schtasks.exe'
       CommandLine|contains: '/Create '
-   selection_rare:
+   selection_pattern1:
       CommandLine|contains:
          - '/sc minute '
          - '/ru system '
-   selection_pattern:
+   selection_pattern2:
       CommandLine|contains:
          - 'cmd.exe /c '
          - 'cmd /c'
-         - ' -w hidden '
+   selection_rare:
+      CommandLine|contains:
          - ' bypass '
-         - ' IEX'
-         - ' -enc '
-         - ' -decode '
          - '.DownloadString'
          - '.DownloadFile'
          - 'FromBase64String'
+         - ' -w hidden '
+         - ' IEX'
+         - ' -enc '
+         - ' -decode '
+         - '/c start /min '   # https://twitter.com/RedDrip7/status/1506480588827467785
+         - ' curl '           # https://twitter.com/RedDrip7/status/1506480588827467785
    selection_anomaly:
       - CommandLine|contains|all:
          - '/xml C:\Users\'
@@ -39,7 +44,7 @@ detection:
       - CommandLine|contains|all:
          - 'wscript.exe'
          - '\AppData\'
-   condition: selection_schtasks and ( selection_rare and selection_pattern or selection_anomaly )
+   condition: selection_schtasks and ( all of selection_pattern* or selection_rare or selection_anomaly )
 falsepositives:
    - Software installers that run from temporary folders and also install scheduled tasks
 level: high