security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Scheduled Jobs AT Protocol Enabled (#609)

Browse Source 
* [New Rule] Scheduled Jobs AT Protocol Enlabled

* fixed typo

* Update rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* eql syntax

* Update rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* ecs_version

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
This commit is contained in:
Samirbous
2020-12-08 16:52:17 +01:00
committed by GitHub
parent 637d06f6c9
commit e707b53a03
1 changed files with 43 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml
+43
View File
@@ -0,0 +1,43 @@
[metadata]
creation_date = "2020/11/23"
maturity = "production"
updated_date = "2020/11/23"
[rule]
author = ["Elastic"]
description = """
Identifies attempts to enable the Windows scheduled tasks AT command via the registry. Attackers may use this method to move laterally or
persist locally. The AT command has been deprecated since Windows 8 and Windows Server 2012, but still exists for backwards compatibility.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*"]
language = "eql"
license = "Elastic License"
name = "Scheduled Tasks AT Command Enabled"
references = [
"https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob",
]
risk_score = 47
rule_id = "9aa0e1f6-52ce-42e1-abb3-09657cee2698"
severity = "medium"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
type = "eql"
query = '''
registry where
registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt" and registry.data.strings == "1"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1089"
name = "Disabling Security Tools"
reference = "https://attack.mitre.org/techniques/T1089/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"