Skip to content

Commit

Permalink
Extended the Slingshot APT rule
Browse files Browse the repository at this point in the history
  • Loading branch information
Florian Roth committed Mar 10, 2018
1 parent 66d52cf commit 74c2f91
Showing 1 changed file with 21 additions and 4 deletions.
25 changes: 21 additions & 4 deletions rules/apt/apt_slingshot.yml
View file
Original file line number Original file line Diff line number Diff line change
@@ -1,3 +1,5 @@
---
action: global
title: Defrag Deactivation title: Defrag Deactivation
description: Detects the deactivation of the Scheduled defragmentation task as seen by Slingshot APT group description: Detects the deactivation of the Scheduled defragmentation task as seen by Slingshot APT group
references: references:
Expand All @@ -9,10 +11,25 @@ logsource:
service: security service: security
description: 'Requirements: Audit Policy : Audit Other Object Access Events > Success' description: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'
detection: detection:
selection:
EventID: 4701
TaskName: '\Microsoft\Windows\Defrag\ScheduledDefrag'
condition: selection condition: selection
falsepositives: falsepositives:
- Unknown - Unknown
level: medium level: medium
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine:
- '*schtasks* /delete *Defrag\ScheduledDefrag*'
---
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'
detection:
selection:
EventID: 4701
TaskName: '\Microsoft\Windows\Defrag\ScheduledDefrag'

0 comments on commit 74c2f91

Please sign in to comment.