Nasreddine Bencherchali
598d29f811
chore: change tags, date, modified fields to comply with v2 of the Sigma spec. chore: update the related type from `obsoletes` to `obsolete`. chore: update local json schema to the latest version.
31 lines
956 B
YAML
31 lines
956 B
YAML
title: Use of W32tm as Timer
|
|
id: 6da2c9f5-7c53-401b-aacb-92c040ce1215
|
|
status: test
|
|
description: When configured with suitable command line arguments, w32tm can act as a delay mechanism
|
|
references:
|
|
- https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md
|
|
- https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains
|
|
author: frack113
|
|
date: 2022-09-25
|
|
tags:
|
|
- attack.discovery
|
|
- attack.t1124
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection_w32tm:
|
|
- Image|endswith: '\w32tm.exe'
|
|
- OriginalFileName: 'w32time.dll'
|
|
selection_cmd:
|
|
CommandLine|contains|all:
|
|
- '/stripchart'
|
|
- '/computer:'
|
|
- '/period:'
|
|
- '/dataonly'
|
|
- '/samples:'
|
|
condition: all of selection_*
|
|
falsepositives:
|
|
- Legitimate use
|
|
level: high
|