From 20125d87c2743307829476613f2542ab5f4e7cf2 Mon Sep 17 00:00:00 2001 From: Paul Hager <28906717+pH-T@users.noreply.github.com> Date: Tue, 15 Mar 2022 16:36:57 +0100 Subject: [PATCH 1/3] new rule from thedfirreport.com --- .../proc_creation_win_schtasks_reg_loader.yml | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml b/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml new file mode 100644 index 000000000..ee4436ead --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml @@ -0,0 +1,35 @@ +title: Scheduled Task Executing Powershell Encoded Payload from Registry +id: c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78 +status: experimental +description: Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell. +author: '@Kostastsale, @TheDFIRReport, slightly modified by pH-T' +references: + - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ +date: 2022/02/12 +modified: 2022/03/15 +logsource: + product: windows + category: process_creation +detection: + selection1: + Image|endswith: '\schtasks.exe' + CommandLine|contains|all: + - '/Create' + - '/SC' + - 'FromBase64String' + - 'Get-ItemProperty' + selection2: + CommandLine|contains: + - 'HKCU:' + - 'HKLM:' + - 'registry::' + - 'HKEY_' + condition: selection1 and selection2 +falsepositives: + - Unknown +level: high +tags: + - attack.execution + - attack.persistence + - attack.t1053.005 + - attack.t1059.001 \ No newline at end of file From 3b09f1c9da41188c68ca6c684d425abc1326423e Mon Sep 17 00:00:00 2001 From: Paul Hager <28906717+pH-T@users.noreply.github.com> Date: Tue, 15 Mar 2022 16:38:27 +0100 Subject: [PATCH 2/3] new rule from thedfirreport.com --- .../process_creation/proc_creation_win_schtasks_reg_loader.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml b/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml index ee4436ead..5ee6cc5b6 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml @@ -32,4 +32,5 @@ tags: - attack.execution - attack.persistence - attack.t1053.005 - - attack.t1059.001 \ No newline at end of file + - attack.t1059.001 + \ No newline at end of file From 87600161bfcf4ece8b117774a2d5b401d37b91eb Mon Sep 17 00:00:00 2001 From: Paul Hager <28906717+pH-T@users.noreply.github.com> Date: Tue, 15 Mar 2022 16:39:12 +0100 Subject: [PATCH 3/3] new rule from thedfirreport.com --- .../process_creation/proc_creation_win_schtasks_reg_loader.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml b/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml index 5ee6cc5b6..137c87fb9 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml @@ -33,4 +33,3 @@ tags: - attack.persistence - attack.t1053.005 - attack.t1059.001 - \ No newline at end of file