diff --git a/regression_data/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable/7595ba94-cf3b-4471-aa03-4f6baa9e5fad.evtx b/regression_data/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable/7595ba94-cf3b-4471-aa03-4f6baa9e5fad.evtx new file mode 100644 index 000000000..5c5ad4920 Binary files /dev/null and b/regression_data/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable/7595ba94-cf3b-4471-aa03-4f6baa9e5fad.evtx differ diff --git a/regression_data/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable/7595ba94-cf3b-4471-aa03-4f6baa9e5fad.json b/regression_data/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable/7595ba94-cf3b-4471-aa03-4f6baa9e5fad.json new file mode 100644 index 000000000..f79f8ef2e --- /dev/null +++ b/regression_data/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable/7595ba94-cf3b-4471-aa03-4f6baa9e5fad.json @@ -0,0 +1,54 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Security-Auditing", + "Guid": "54849625-5478-4994-A5BA-3E3B0328C30D" + } + }, + "EventID": 4701, + "Version": 1, + "Level": 0, + "Task": 12804, + "Opcode": 0, + "Keywords": "0x8020000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2026-03-11T05:16:41.816327Z" + } + }, + "EventRecordID": 27732, + "Correlation": { + "#attributes": { + "ActivityID": "8E521E2B-7C26-0003-031F-528E267CDB01" + } + }, + "Execution": { + "#attributes": { + "ProcessID": 852, + "ThreadID": 968 + } + }, + "Channel": "Security", + "Computer": "swachchhanda", + "Security": null + }, + "EventData": { + "SubjectUserSid": "S-1-5-21-2555720767-1205513275-3893774561-1001", + "SubjectUserName": "xodih", + "SubjectDomainName": "SWACHCHHANDA", + "SubjectLogonId": "0x3144c", + "TaskName": "\\Microsoft\\Windows\\SystemRestore\\SR", + "TaskContent": "\r\n\r\n \r\n D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;FRFX;;;LS)\r\n $(@%systemroot%\\system32\\srrstr.dll,-320)\r\n $(@%systemroot%\\system32\\srrstr.dll,-321)\r\n $(@%systemroot%\\system32\\srrstr.dll,-322)\r\n Microsoft\\Windows\\SystemRestore\\SR\r\n \r\n \r\n \r\n S-1-5-18\r\n \r\n \r\n \r\n true\r\n false\r\n false\r\n IgnoreNew\r\n true\r\n true\r\n \r\n true\r\n false\r\n \r\n true\r\n \r\n P3D\r\n P3DT1M\r\n true\r\n \r\n \r\n \r\n \r\n \r\n %windir%\\system32\\srtasks.exe\r\n ExecuteScheduledSPPCreation\r\n \r\n \r\n", + "ClientProcessStartKey": 2251799813691708, + "ClientProcessId": 5204, + "ParentProcessId": 15816, + "RpcCallClientLocality": 0, + "FQDN": "swachchhanda" + } + } +} diff --git a/regression_data/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable/info.yml b/regression_data/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable/info.yml new file mode 100644 index 000000000..d1b5c5373 --- /dev/null +++ b/regression_data/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable/info.yml @@ -0,0 +1,13 @@ +id: fbeed033-1556-49ae-881d-1e12e8aceb49 +description: N/A +date: 2026-03-11 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad + title: Important Scheduled Task Deleted/Disabled +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable/7595ba94-cf3b-4471-aa03-4f6baa9e5fad.evtx diff --git a/regression_data/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete_or_disable/9e3cb244-bdb8-4632-8c90-6079c8f4f16d.evtx b/regression_data/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete_or_disable/9e3cb244-bdb8-4632-8c90-6079c8f4f16d.evtx new file mode 100644 index 000000000..ed7d4507f Binary files /dev/null and b/regression_data/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete_or_disable/9e3cb244-bdb8-4632-8c90-6079c8f4f16d.evtx differ diff --git a/regression_data/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete_or_disable/9e3cb244-bdb8-4632-8c90-6079c8f4f16d.json b/regression_data/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete_or_disable/9e3cb244-bdb8-4632-8c90-6079c8f4f16d.json new file mode 100644 index 000000000..483ac2304 --- /dev/null +++ b/regression_data/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete_or_disable/9e3cb244-bdb8-4632-8c90-6079c8f4f16d.json @@ -0,0 +1,48 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-TaskScheduler", + "Guid": "DE7B24EA-73C8-4A09-985D-5BDADCFA9017" + } + }, + "EventID": 142, + "Version": 0, + "Level": 4, + "Task": 142, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2026-03-11T05:16:41.815720Z" + } + }, + "EventRecordID": 14, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 1996, + "ThreadID": 15932 + } + }, + "Channel": "Microsoft-Windows-TaskScheduler/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "#attributes": { + "Name": "TaskDisabled" + }, + "TaskName": "\\Microsoft\\Windows\\SystemRestore\\SR", + "UserName": "System" + } + } +} diff --git a/regression_data/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete_or_disable/info.yml b/regression_data/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete_or_disable/info.yml new file mode 100644 index 000000000..0df6c4bff --- /dev/null +++ b/regression_data/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete_or_disable/info.yml @@ -0,0 +1,13 @@ +id: 89bcf8d7-2f92-4ae4-9492-bba11f26dd10 +description: N/A +date: 2026-03-11 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d + title: Important Scheduled Task Deleted or Disabled +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete_or_disable/9e3cb244-bdb8-4632-8c90-6079c8f4f16d.evtx diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_reg_system_restore_modification/7c06ab9b-b1d2-4ba9-b06e-09491ded20d9.evtx b/regression_data/rules/windows/process_creation/proc_creation_win_reg_system_restore_modification/7c06ab9b-b1d2-4ba9-b06e-09491ded20d9.evtx new file mode 100644 index 000000000..c6c931d83 Binary files /dev/null and b/regression_data/rules/windows/process_creation/proc_creation_win_reg_system_restore_modification/7c06ab9b-b1d2-4ba9-b06e-09491ded20d9.evtx differ diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_reg_system_restore_modification/7c06ab9b-b1d2-4ba9-b06e-09491ded20d9.json b/regression_data/rules/windows/process_creation/proc_creation_win_reg_system_restore_modification/7c06ab9b-b1d2-4ba9-b06e-09491ded20d9.json new file mode 100644 index 000000000..121aeb0c2 --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_reg_system_restore_modification/7c06ab9b-b1d2-4ba9-b06e-09491ded20d9.json @@ -0,0 +1,264 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2026-03-11T05:43:26.345335Z" + } + }, + "EventRecordID": 35549, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3208, + "ThreadID": 1724 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2026-03-11 05:43:26.311", + "ProcessGuid": "0197231E-00FE-69B1-981A-000000000800", + "ProcessId": 376, + "Image": "C:\\Windows\\System32\\reg.exe", + "FileVersion": "10.0.26100.1 (WinBuild.160101.0800)", + "Description": "Registry Console Tool", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "reg.exe", + "CommandLine": "reg add \"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\" /v \"DisableConfig\" /t \"REG_DWORD\" /d \"1\" /f", + "CurrentDirectory": "C:\\Windows\\System32\\", + "User": "swachchhanda\\xodih", + "LogonGuid": "0197231E-AB9F-67AA-4C14-030000000000", + "LogonId": "0x3144c", + "TerminalSessionId": 1, + "IntegrityLevel": "High", + "Hashes": "MD5=573EB13AC2BA31E9C2E17FB6DAD14154,SHA256=E295E776FD4F7F73DFAAA5698A19EA7A2F4A2F0C5E1681FAC94E45D00296C926,IMPHASH=A26BCB048DF34CBB422F2656F38634D0", + "ParentProcessGuid": "0197231E-5098-69AE-5814-000000000800", + "ParentProcessId": 15816, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "cmd.exe", + "ParentUser": "swachchhanda\\xodih" + } + } +} +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2026-03-11T05:43:26.390084Z" + } + }, + "EventRecordID": 35550, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3208, + "ThreadID": 1724 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2026-03-11 05:43:26.378", + "ProcessGuid": "0197231E-00FE-69B1-991A-000000000800", + "ProcessId": 12068, + "Image": "C:\\Windows\\System32\\reg.exe", + "FileVersion": "10.0.26100.1 (WinBuild.160101.0800)", + "Description": "Registry Console Tool", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "reg.exe", + "CommandLine": "reg add \"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\" /v \"DisableSR\" /t \"REG_DWORD\" /d \"1\" /f", + "CurrentDirectory": "C:\\Windows\\System32\\", + "User": "swachchhanda\\xodih", + "LogonGuid": "0197231E-AB9F-67AA-4C14-030000000000", + "LogonId": "0x3144c", + "TerminalSessionId": 1, + "IntegrityLevel": "High", + "Hashes": "MD5=573EB13AC2BA31E9C2E17FB6DAD14154,SHA256=E295E776FD4F7F73DFAAA5698A19EA7A2F4A2F0C5E1681FAC94E45D00296C926,IMPHASH=A26BCB048DF34CBB422F2656F38634D0", + "ParentProcessGuid": "0197231E-5098-69AE-5814-000000000800", + "ParentProcessId": 15816, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "cmd.exe", + "ParentUser": "swachchhanda\\xodih" + } + } +} +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2026-03-11T05:43:26.438522Z" + } + }, + "EventRecordID": 35551, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3208, + "ThreadID": 1724 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2026-03-11 05:43:26.429", + "ProcessGuid": "0197231E-00FE-69B1-9A1A-000000000800", + "ProcessId": 2964, + "Image": "C:\\Windows\\System32\\reg.exe", + "FileVersion": "10.0.26100.1 (WinBuild.160101.0800)", + "Description": "Registry Console Tool", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "reg.exe", + "CommandLine": "reg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\" /v \"DisableConfig\" /t \"REG_DWORD\" /d \"1\" /f", + "CurrentDirectory": "C:\\Windows\\System32\\", + "User": "swachchhanda\\xodih", + "LogonGuid": "0197231E-AB9F-67AA-4C14-030000000000", + "LogonId": "0x3144c", + "TerminalSessionId": 1, + "IntegrityLevel": "High", + "Hashes": "MD5=573EB13AC2BA31E9C2E17FB6DAD14154,SHA256=E295E776FD4F7F73DFAAA5698A19EA7A2F4A2F0C5E1681FAC94E45D00296C926,IMPHASH=A26BCB048DF34CBB422F2656F38634D0", + "ParentProcessGuid": "0197231E-5098-69AE-5814-000000000800", + "ParentProcessId": 15816, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "cmd.exe", + "ParentUser": "swachchhanda\\xodih" + } + } +} +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2026-03-11T05:43:27.502020Z" + } + }, + "EventRecordID": 35552, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3208, + "ThreadID": 1724 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2026-03-11 05:43:27.480", + "ProcessGuid": "0197231E-00FF-69B1-9B1A-000000000800", + "ProcessId": 13620, + "Image": "C:\\Windows\\System32\\reg.exe", + "FileVersion": "10.0.26100.1 (WinBuild.160101.0800)", + "Description": "Registry Console Tool", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "reg.exe", + "CommandLine": "reg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\" /v \"DisableSR\" /t \"REG_DWORD\" /d \"1\" /f", + "CurrentDirectory": "C:\\Windows\\System32\\", + "User": "swachchhanda\\xodih", + "LogonGuid": "0197231E-AB9F-67AA-4C14-030000000000", + "LogonId": "0x3144c", + "TerminalSessionId": 1, + "IntegrityLevel": "High", + "Hashes": "MD5=573EB13AC2BA31E9C2E17FB6DAD14154,SHA256=E295E776FD4F7F73DFAAA5698A19EA7A2F4A2F0C5E1681FAC94E45D00296C926,IMPHASH=A26BCB048DF34CBB422F2656F38634D0", + "ParentProcessGuid": "0197231E-5098-69AE-5814-000000000800", + "ParentProcessId": 15816, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "cmd.exe", + "ParentUser": "swachchhanda\\xodih" + } + } +} diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_reg_system_restore_modification/info.yml b/regression_data/rules/windows/process_creation/proc_creation_win_reg_system_restore_modification/info.yml new file mode 100644 index 000000000..91d85277a --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_reg_system_restore_modification/info.yml @@ -0,0 +1,13 @@ +id: 75a7a650-1934-4994-9447-addc8cea2c50 +description: N/A +date: 2026-03-11 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: 7c06ab9b-b1d2-4ba9-b06e-09491ded20d9 + title: System Restore Registry Modification via CommandLine +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 4 + path: regression_data/rules/windows/process_creation/proc_creation_win_reg_system_restore_modification/7c06ab9b-b1d2-4ba9-b06e-09491ded20d9.evtx diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_schtasks_delete/dbc1f800-0fe0-4bc0-9c66-292c2abe3f78.evtx b/regression_data/rules/windows/process_creation/proc_creation_win_schtasks_delete/dbc1f800-0fe0-4bc0-9c66-292c2abe3f78.evtx new file mode 100644 index 000000000..12fcdcd52 Binary files /dev/null and b/regression_data/rules/windows/process_creation/proc_creation_win_schtasks_delete/dbc1f800-0fe0-4bc0-9c66-292c2abe3f78.evtx differ diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_schtasks_delete/dbc1f800-0fe0-4bc0-9c66-292c2abe3f78.json b/regression_data/rules/windows/process_creation/proc_creation_win_schtasks_delete/dbc1f800-0fe0-4bc0-9c66-292c2abe3f78.json new file mode 100644 index 000000000..01e6324b7 --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_schtasks_delete/dbc1f800-0fe0-4bc0-9c66-292c2abe3f78.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2026-03-11T05:50:15.050582Z" + } + }, + "EventRecordID": 35558, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3208, + "ThreadID": 1724 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2026-03-11 05:50:15.010", + "ProcessGuid": "0197231E-0297-69B1-A51A-000000000800", + "ProcessId": 3824, + "Image": "C:\\Windows\\System32\\schtasks.exe", + "FileVersion": "10.0.26100.1 (WinBuild.160101.0800)", + "Description": "Task Scheduler Configuration Tool", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "schtasks.exe", + "CommandLine": "schtasks /delete /f /tn \"\\Microsoft\\Windows\\SystemRestore\\SR\"", + "CurrentDirectory": "C:\\Windows\\System32\\", + "User": "swachchhanda\\xodih", + "LogonGuid": "0197231E-AB9F-67AA-4C14-030000000000", + "LogonId": "0x3144c", + "TerminalSessionId": 1, + "IntegrityLevel": "High", + "Hashes": "MD5=F6A8EAD7A0201CD4B70BC27880EF5D90,SHA256=50D05E4D9CACE1FE8620CE95DDEA9978B26987787A0FFBCFEF4C25381DB9BB79,IMPHASH=15B98131447F3FE7853021D3B8BDBE26", + "ParentProcessGuid": "0197231E-5098-69AE-5814-000000000800", + "ParentProcessId": 15816, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "cmd.exe", + "ParentUser": "swachchhanda\\xodih" + } + } +} diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_schtasks_delete/info.yml b/regression_data/rules/windows/process_creation/proc_creation_win_schtasks_delete/info.yml new file mode 100644 index 000000000..a26c8b222 --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_schtasks_delete/info.yml @@ -0,0 +1,13 @@ +id: 26749dc2-d5d4-4e6e-917a-b21be70dde32 +description: N/A +date: 2026-03-11 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: dbc1f800-0fe0-4bc0-9c66-292c2abe3f78 + title: Delete Important Scheduled Task +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/rules/windows/process_creation/proc_creation_win_schtasks_delete/dbc1f800-0fe0-4bc0-9c66-292c2abe3f78.evtx diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_schtasks_disable/9ac94dc8-9042-493c-ba45-3b5e7c86b980.evtx b/regression_data/rules/windows/process_creation/proc_creation_win_schtasks_disable/9ac94dc8-9042-493c-ba45-3b5e7c86b980.evtx new file mode 100644 index 000000000..ccc4fcd19 Binary files /dev/null and b/regression_data/rules/windows/process_creation/proc_creation_win_schtasks_disable/9ac94dc8-9042-493c-ba45-3b5e7c86b980.evtx differ diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_schtasks_disable/9ac94dc8-9042-493c-ba45-3b5e7c86b980.json b/regression_data/rules/windows/process_creation/proc_creation_win_schtasks_disable/9ac94dc8-9042-493c-ba45-3b5e7c86b980.json new file mode 100644 index 000000000..a223a56fb --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_schtasks_disable/9ac94dc8-9042-493c-ba45-3b5e7c86b980.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2026-03-11T06:15:38.256405Z" + } + }, + "EventRecordID": 35626, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3208, + "ThreadID": 1724 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2026-03-11 06:15:38.244", + "ProcessGuid": "0197231E-088A-69B1-E71A-000000000800", + "ProcessId": 15968, + "Image": "C:\\Windows\\System32\\schtasks.exe", + "FileVersion": "10.0.26100.1 (WinBuild.160101.0800)", + "Description": "Task Scheduler Configuration Tool", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "schtasks.exe", + "CommandLine": "schtasks.exe /Change /TN \"\\Microsoft\\Windows\\SystemRestore\\SR\" /disable", + "CurrentDirectory": "C:\\Users\\xodih\\Downloads\\Sysmon\\", + "User": "swachchhanda\\xodih", + "LogonGuid": "0197231E-AB9F-67AA-4C14-030000000000", + "LogonId": "0x3144c", + "TerminalSessionId": 1, + "IntegrityLevel": "High", + "Hashes": "MD5=F6A8EAD7A0201CD4B70BC27880EF5D90,SHA256=50D05E4D9CACE1FE8620CE95DDEA9978B26987787A0FFBCFEF4C25381DB9BB79,IMPHASH=15B98131447F3FE7853021D3B8BDBE26", + "ParentProcessGuid": "0197231E-5098-69AE-5814-000000000800", + "ParentProcessId": 15816, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "cmd.exe", + "ParentUser": "swachchhanda\\xodih" + } + } +} diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_schtasks_disable/info.yml b/regression_data/rules/windows/process_creation/proc_creation_win_schtasks_disable/info.yml new file mode 100644 index 000000000..4bd57eaf7 --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_schtasks_disable/info.yml @@ -0,0 +1,13 @@ +id: 081cb657-2a63-4c7f-8c93-3610f7555370 +description: N/A +date: 2026-03-11 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980 + title: Disable Important Scheduled Task +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/rules/windows/process_creation/proc_creation_win_schtasks_disable/9ac94dc8-9042-493c-ba45-3b5e7c86b980.evtx diff --git a/regression_data/rules/windows/registry/registry_set/registry_set_disable_system_restore/5de03871-5d46-4539-a82d-3aa992a69a83.evtx b/regression_data/rules/windows/registry/registry_set/registry_set_disable_system_restore/5de03871-5d46-4539-a82d-3aa992a69a83.evtx new file mode 100644 index 000000000..0b3a43daf Binary files /dev/null and b/regression_data/rules/windows/registry/registry_set/registry_set_disable_system_restore/5de03871-5d46-4539-a82d-3aa992a69a83.evtx differ diff --git a/regression_data/rules/windows/registry/registry_set/registry_set_disable_system_restore/5de03871-5d46-4539-a82d-3aa992a69a83.json b/regression_data/rules/windows/registry/registry_set/registry_set_disable_system_restore/5de03871-5d46-4539-a82d-3aa992a69a83.json new file mode 100644 index 000000000..428bd6b1e --- /dev/null +++ b/regression_data/rules/windows/registry/registry_set/registry_set_disable_system_restore/5de03871-5d46-4539-a82d-3aa992a69a83.json @@ -0,0 +1,208 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 13, + "Version": 2, + "Level": 4, + "Task": 13, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2026-03-11T05:55:53.550235Z" + } + }, + "EventRecordID": 35579, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3208, + "ThreadID": 1724 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "EventType": "SetValue", + "UtcTime": "2026-03-11 05:55:53.547", + "ProcessGuid": "0197231E-03E9-69B1-BA1A-000000000800", + "ProcessId": 9860, + "Image": "C:\\WINDOWS\\system32\\reg.exe", + "TargetObject": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\\DisableConfig", + "Details": "DWORD (0x00000001)", + "User": "swachchhanda\\xodih" + } + } +} +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 13, + "Version": 2, + "Level": 4, + "Task": 13, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2026-03-11T05:55:53.593526Z" + } + }, + "EventRecordID": 35581, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3208, + "ThreadID": 1724 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "EventType": "SetValue", + "UtcTime": "2026-03-11 05:55:53.581", + "ProcessGuid": "0197231E-03E9-69B1-BB1A-000000000800", + "ProcessId": 6164, + "Image": "C:\\WINDOWS\\system32\\reg.exe", + "TargetObject": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\\DisableSR", + "Details": "DWORD (0x00000001)", + "User": "swachchhanda\\xodih" + } + } +} +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 13, + "Version": 2, + "Level": 4, + "Task": 13, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2026-03-11T05:55:53.648759Z" + } + }, + "EventRecordID": 35583, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3208, + "ThreadID": 1724 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "EventType": "SetValue", + "UtcTime": "2026-03-11 05:55:53.645", + "ProcessGuid": "0197231E-03E9-69B1-BC1A-000000000800", + "ProcessId": 8776, + "Image": "C:\\WINDOWS\\system32\\reg.exe", + "TargetObject": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\DisableConfig", + "Details": "DWORD (0x00000001)", + "User": "swachchhanda\\xodih" + } + } +} +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 13, + "Version": 2, + "Level": 4, + "Task": 13, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2026-03-11T05:55:54.364135Z" + } + }, + "EventRecordID": 35585, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3208, + "ThreadID": 1724 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "EventType": "SetValue", + "UtcTime": "2026-03-11 05:55:54.362", + "ProcessGuid": "0197231E-03EA-69B1-BD1A-000000000800", + "ProcessId": 9004, + "Image": "C:\\WINDOWS\\system32\\reg.exe", + "TargetObject": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\DisableSR", + "Details": "DWORD (0x00000001)", + "User": "swachchhanda\\xodih" + } + } +} diff --git a/regression_data/rules/windows/registry/registry_set/registry_set_disable_system_restore/info.yml b/regression_data/rules/windows/registry/registry_set/registry_set_disable_system_restore/info.yml new file mode 100644 index 000000000..86feb5f6c --- /dev/null +++ b/regression_data/rules/windows/registry/registry_set/registry_set_disable_system_restore/info.yml @@ -0,0 +1,13 @@ +id: 70b0db86-1b38-48dd-8ddb-29357e0c0149 +description: N/A +date: 2026-03-11 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: 5de03871-5d46-4539-a82d-3aa992a69a83 + title: Registry Disable System Restore +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 4 + path: regression_data/rules/windows/registry/registry_set/registry_set_disable_system_restore/5de03871-5d46-4539-a82d-3aa992a69a83.evtx diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml index 852c3c356..f4cbd969e 100644 --- a/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml @@ -38,11 +38,17 @@ detection: - '\Windows\WindowsUpdate\' - '\Windows\UpdateOrchestrator\Schedule' - '\Windows\ExploitGuard' - filter_sys_username: + filter_main_defender_update: EventID: 4699 SubjectUserName|endswith: '$' # False positives during upgrades of Defender, where its tasks get removed and added TaskName|contains: '\Windows\Windows Defender\' - condition: selection and not 1 of filter_* + condition: selection and not 1 of filter_main_* falsepositives: - Unknown level: high +regression_tests_path: regression_data/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable/info.yml +simulation: + - type: atomic-red-team + name: Windows - Disable the SR scheduled task + technique: T1490 + atomic_guid: 1c68c68d-83a4-4981-974e-8993055fa034 diff --git a/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete.yml b/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete_or_disable.yml similarity index 61% rename from rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete.yml rename to rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete_or_disable.yml index 013f25157..3741012fb 100644 --- a/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete.yml +++ b/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete_or_disable.yml @@ -1,18 +1,20 @@ -title: Important Scheduled Task Deleted +title: Important Scheduled Task Deleted or Disabled id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d related: - id: dbc1f800-0fe0-4bc0-9c66-292c2abe3f78 # ProcCreation schtasks delete type: similar - id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad # Security-Audting Eventlog type: similar + - id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980 # ProcCreation schtasks disable + type: similar status: test description: | - Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities + Detects when adversaries try to stop system services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities references: - https://www.socinvestigation.com/most-common-windows-event-ids-to-hunt-mind-map/ author: frack113 date: 2023-01-13 -modified: 2023-02-07 +modified: 2026-03-11 tags: - attack.impact - attack.t1489 @@ -22,7 +24,9 @@ logsource: definition: 'Requirements: The "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and needs to be enabled in order for this detection to trigger' detection: selection: - EventID: 141 + EventID: + - 141 # Task Deleted + - 142 # Task Disabled TaskName|contains: - '\Windows\SystemRestore\SR' - '\Windows\Windows Defender\' @@ -31,11 +35,17 @@ detection: - '\Windows\WindowsUpdate\' - '\Windows\UpdateOrchestrator\' - '\Windows\ExploitGuard' - filter: + filter_main_user: UserName|contains: - 'AUTHORI' - 'AUTORI' - condition: selection and not filter + condition: selection and not 1 of filter_main_* falsepositives: - Unknown level: high +regression_tests_path: regression_data/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete_or_disable/info.yml +simulation: + - type: atomic-red-team + name: Windows - Disable the SR scheduled task + technique: T1490 + atomic_guid: 1c68c68d-83a4-4981-974e-8993055fa034 diff --git a/rules/windows/process_creation/proc_creation_win_reg_system_restore_modification.yml b/rules/windows/process_creation/proc_creation_win_reg_system_restore_modification.yml new file mode 100644 index 000000000..6f66c5df4 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_reg_system_restore_modification.yml @@ -0,0 +1,51 @@ +title: System Restore Registry Modification via CommandLine +id: 7c06ab9b-b1d2-4ba9-b06e-09491ded20d9 +related: + - id: 5de03871-5d46-4539-a82d-3aa992a69a83 + type: similar +status: experimental +description: | + Detects system restore registry modification via command line, which can be used by adversaries to disable system restore on the computer. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry +author: Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2026-03-11 +tags: + - attack.impact + - attack.t1490 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: + - '\powershell.exe' + - '\pwsh.exe' + - '\reg.exe' + - OriginalFileName: + - 'powershell.exe' + - 'pwsh.dll' + - 'reg.exe' + selection_cli_action: + CommandLine|contains: + - ' add ' + - 'Set-ItemProperty' + - 'New-ItemProperty' + selection_cli_reg_root: + CommandLine|contains: + - '\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore' + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore' + selection_cli_reg_key: + CommandLine|contains: + - 'DisableConfig' + - 'DisableSR' + condition: all of selection_* +falsepositives: + - Unknown +level: high +regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_reg_system_restore_modification/info.yml +simulation: + - type: atomic-red-team + name: Disable System Restore Through Registry + technique: T1490 + atomic_guid: 66e647d1-8741-4e43-b7c1-334760c2047f diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_delete.yml b/rules/windows/process_creation/proc_creation_win_schtasks_delete.yml index a559cb449..799e0262c 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_delete.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_delete.yml @@ -11,6 +11,7 @@ references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) date: 2022-09-09 +modified: 2026-03-11 tags: - attack.impact - attack.t1489 @@ -18,11 +19,12 @@ logsource: category: process_creation product: windows detection: - selection: - Image|endswith: '\schtasks.exe' - CommandLine|contains|all: - - '/delete' - - '/tn' + selection_img: + - Image|endswith: '\schtasks.exe' + - OriginalFileName: 'schtasks.exe' + selection_cli_delete: + CommandLine|contains|windash: '/delete' + selection_cli_task: CommandLine|contains: # Add more important tasks - '\Windows\BitLocker' @@ -32,7 +34,8 @@ detection: - '\Windows\Windows Defender\' - '\Windows\WindowsBackup\' - '\Windows\WindowsUpdate\' - condition: selection + condition: all of selection_* falsepositives: - Unlikely level: high +regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_schtasks_delete/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml b/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml index a3ce9380f..6cd17b509 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml @@ -3,6 +3,8 @@ id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980 related: - id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad # Security-Audting Eventlog type: similar + - id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d # TaskScheduler EventLog + type: similar status: test description: Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities references: @@ -11,7 +13,7 @@ references: - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ author: frack113, Nasreddine Bencherchali (Nextron Systems), X__Junior date: 2021-12-26 -modified: 2024-08-25 +modified: 2026-03-11 tags: - attack.impact - attack.t1489 @@ -19,12 +21,12 @@ logsource: category: process_creation product: windows detection: - selection: - Image|endswith: '\schtasks.exe' - CommandLine|contains|all: - - '/Change' - - '/TN' - - '/disable' + selection_img: + - Image|endswith: '\schtasks.exe' + - OriginalFileName: 'schtasks.exe' + selection_cli_disable: + CommandLine|contains|windash: '/disable' + selection_cli_task: CommandLine|contains: # Add more important tasks - '\Windows\BitLocker' @@ -35,7 +37,13 @@ detection: - '\Windows\Windows Defender\' - '\Windows\WindowsBackup\' - '\Windows\WindowsUpdate\' - condition: selection + condition: all of selection_* falsepositives: - Unknown level: high +regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_schtasks_disable/info.yml +simulation: + - type: atomic-red-team + name: Windows - Disable the SR scheduled task + technique: T1490 + atomic_guid: 1c68c68d-83a4-4981-974e-8993055fa034 diff --git a/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml b/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml index a59931d4d..fec5b0fb3 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml @@ -1,5 +1,8 @@ title: Registry Disable System Restore id: 5de03871-5d46-4539-a82d-3aa992a69a83 +related: + - id: 7c06ab9b-b1d2-4ba9-b06e-09491ded20d9 + type: similar status: test description: Detects the modification of the registry to disable a system restore on the computer references: @@ -26,3 +29,9 @@ detection: falsepositives: - Unknown level: high +regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_disable_system_restore/info.yml +simulation: + - type: atomic-red-team + name: Disable System Restore Through Registry + technique: T1490 + atomic_guid: 66e647d1-8741-4e43-b7c1-334760c2047f