security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Suspicious Execution via Scheduled Task (#4599)

Browse Source
This commit is contained in:
Jonhnathan
2025-04-07 14:29:08 -03:00
committed by GitHub
parent 3966981dae
commit a5d9d6400a
1 changed files with 12 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/persistence_suspicious_scheduled_task_runtime.toml
+12 -5
View File
@@ -2,7 +2,7 @@
creation_date = "2020/11/19"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2025/04/07"
[rule]
author = ["Elastic"]
@@ -101,10 +101,17 @@ process where host.os.type == "windows" and event.type == "start" and
"C:\\Windows\\Debug\\*",
"C:\\HP\\*") and
not (process.name : "cmd.exe" and process.args : "?:\\*.bat" and process.working_directory : "?:\\Windows\\System32\\") and
not (process.name : "cscript.exe" and process.args : "?:\\Windows\\system32\\calluxxprovider.vbs") and
not (process.name : "powershell.exe" and process.args : ("-File", "-PSConsoleFile") and user.id : "S-1-5-18") and
not (process.name : "msiexec.exe" and user.id : "S-1-5-18")
not (process.name : "cmd.exe" and process.args : "?:\\*.bat" and process.working_directory : "?:\\Windows\\System32\\") and
not (process.name : "cscript.exe" and process.args : "?:\\Windows\\system32\\calluxxprovider.vbs") and
not (
process.name : "powershell.exe" and
process.args : (
"-File", "-PSConsoleFile",
"C:\\ProgramData\\Microsoft\\AutopatchSetupScheduled\\SetupAutopatchClientV2Package.ps1",
"C:\\ProgramData\\Microsoft\\AutopatchSetupScheduled\\SetupAutopatchClientPackage.ps1"
) and user.id : "S-1-5-18"
) and
not (process.name : "msiexec.exe" and user.id : "S-1-5-18")
'''