-
Notifications
You must be signed in to change notification settings - Fork 108
/
persistence_scheduled_task_creation_by_an_unusual_process.toml
143 lines (129 loc) · 8.18 KB
/
persistence_scheduled_task_creation_by_an_unusual_process.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
[rule]
description = """
Identifies the creation of a scheduled task by an unusual process such as script interpreters or recently dropped
unsigned executables. This behavior is consistent with an adversary attempting to establish persistence.
"""
id = "cb5fdbe3-84fa-4277-a967-1ffc0e8d3d25"
license = "Elastic License v2"
name = "Scheduled Task Creation by an Unusual Process"
os_list = ["windows"]
reference = ["https://docs.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml-"]
version = "1.0.29"
query = '''
sequence with maxspan=5m
[process where event.action == "start" and
(
/* common initial access processes */
process.name : ("wscript.exe", "cscript.exe", "regsvr32.exe", "mshta.exe", "rundll32.exe", "vbc.exe",
"msbuild.exe", "wmic.exe", "cmstp.exe", "RegAsm.exe", "installutil.exe","RegSvcs.exe",
"msxsl.exe", "xwizard.exe", "csc.exe", "winword.exe", "excel.exe", "powerpnt.exe",
"powershell.exe") or
/* unsigned or untrusted codesign */
((process.code_signature.trusted == false or process.code_signature.exists == false) and
(process.Ext.relative_file_creation_time <= 300 or process.Ext.relative_file_name_modify_time <= 300) and
not process.code_signature.status : ("errorTimeStamp", "errorCode_endpoint*", "errorExpired", "errorChaining")) or
/* common abused paths */
(process.executable :
("?:\\Users\\Public\\*",
"?:\\Users\\*\\AppData\\Roaming\\*",
"?:\\ProgramData\\*",
"?:\\Windows\\Microsoft.NET\\*",
"?:\\Users\\*\\AppData\\Local\\Temp\\Temp?_*",
"?:\\Users\\*\\AppData\\Local\\Temp\\7z*",
"?:\\Users\\*\\AppData\\Local\\Temp\\Rar*",
"?:\\Users\\*\\AppData\\Local\\Temp\\BNZ.*",
"\\Device\\CdRom*") and not process.code_signature.trusted == true) or
/* execution from a mounted device */
(process.Ext.device.product_id : ("Virtual DVD-ROM", "Virtual Disk") and not process.executable : "C:\\*")
) and
/* known FPs */
not (process.name : "rundll32.exe" and process.command_line : "*zzzzInvokeManagedCustomActionOutOfProc*" and process.parent.name : "msiexec.exe") and
not (process.name : ("rundll32.exe", "regsvr32.exe") and process.args : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*")) and
not (process.code_signature.trusted == true and process.executable : ("?:\\Users\\*\\AppData\\Roaming\\*", "?:\\ProgramData\\*")) and
not (process.name : "rundll32.exe" and process.args : "tsworkspace,TaskUpdateWorkspaces") and
not (process.executable : "\\Device\\Mup\\*\\OneDriveSetup.exe" and process.args : "/ALLUSERS") and
not (process.name : "rundll32.exe" and
process.command_line : ("*PWMTR32V.dll,InitializeSettingsDuringInstallation*", "*RunDll_EnableBits*")) and
not (process.name : "powershell.exe" and
process.command_line :
("*:\\Program Files\\*", "*:\\Program Files (X86)\\*",
"*Packages\\Plugins\\Microsoft.AdminCenter.AdminCenter*",
"*:\\WINDOWS\\ccmcache\\*",
"*EEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcA*",
"*UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAA*",
"*-EncodedCommand*")) and
not (process.name : "powershell.exe" and
process.parent.executable : ("?:\\Program Files (x86)\\Microsoft Intune Management Extension\\AgentExecutor.exe",
"?:\\Program Files (x86)\\Spiceworks Agent Shell\\AgentShellService.exe",
"?:\\Program Files (x86)\\ITSPlatform\\plugin\\scripting\\platform-scripting-plugin.exe",
"?:\\Program Files (x86)\\Microsoft Intune Management Extension\\Microsoft.Management.Services.IntuneWindowsAgent.exe",
"?:\\Program Files (x86)\\Lenovo\\VantageService\\*\\Lenovo.Vantage.AddinInstaller.exe",
"?:\\ProgramData\\Lenovo\\LenovoNow\\Downloads\\LenovoNow.Updater.exe",
"?:\\ProgramData\\Lenovo\\ImController\\Plugins\\LenovoFirstRunExperiencePackage\\x86\\LenovoWelcomeTask.exe",
"?:\\Program Files (x86)\\Microsoft Intune Management Extension\\agentexecutor.exe",
"C:\\Banyan\\Canopy\\Leaf\\leaf_desktop_app.exe",
"?:\\Program Files (x86)\\Microsoft Intune Management Extension\\Microsoft.Management.Services.IntuneWindowsAgent.exe")) and
not (process.name : "powershell.exe" and user.id : "S-1-5-18") and
not (process.parent.name : "rundll32.exe" and process.parent.command_line : "*zzzzInvokeManagedCustomActionOutOfProc*") and
not (process.name : "rundll32.exe" and process.command_line : ("*zzzzInvokeManagedCustomActionOutOfProc*", "*tsworkspace,WorkspaceSilentSetup*")) and
not process.executable :
("?:\\Program Files (x86)\\*.exe",
"?:\\Program Files\\*.exe",
"?:\\Windows\\SysWOW64\\OneDriveSetup.exe",
"?:\\Windows\\System32\\MRT.exe",
"?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe") and
/* DOCs opened from network file share trigger an office default scheduled task */
not (process.name : ("winword.exe", "excel.exe", "powerpnt.exe") and not process.working_directory : "C:\\*") and
not process.hash.sha256 :
("3d95157908cee58d19193c93c5f2b0a06910b8123a4211b0ea059ff66f2506e0",
"79dbc3cf0d4cdc0f2150ab5e2bf3457ba54297202500f26f1a1d48e455f7c54a",
"62d96982e2c2d58682471af9a9d0727ba49199d48b7766c318886e8e7e23670a",
"ef330f95416162866f5d8b9cd509066ab4168cfcc66e305006be1952905d47e6",
"cf635f97d0a3bea30f348277777f36db6b14aea0e7711471e5fb2e13167b80cd",
"3c1169568774b7ce8a96e137983b059f030eb3983c369cfb12ea2c59cf3f56ad",
"edaf602006b53dc936a35d0f9e6de51c552c0203ebe814cb68b1d5cbc81f4b49",
"82c97648fa358c31fb47e44762938738ad3080880b84b69d9c303d708ab160c2",
"4aff93803f1915f3a10f19a1d1e065483c4d11221e3c2792b3de1807c7bf1d9a",
"f9e86b3a6275429f5dbecccc2020e498032a96fc02dd8bdb2a1cc5b5bf2b473b") and
not (process.name : "powershell.exe" and process.args : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*"))
] by process.entity_id
[file where event.action : "creation" and process.name : "svchost.exe" and
file.path : ("?:\\Windows\\Tasks\\*", "?:\\Windows\\System32\\Tasks\\*") and
/* excluding via Powershell cmdline is also vulnerable to evasion */
not (Effective_process.name : "powershell.exe" and
file.path :
("?:\\WINDOWS\\System32\\Tasks\\PSWindowsUpdate",
"?:\\Windows\\System32\\Tasks\\npcapwatchdog",
"?:\\Windows\\System32\\Tasks\\ChocoUpgrade",
"?:\\Windows\\System32\\Tasks\\ansible-ansible.windows.win_updates",
"?:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\PowerShell\\ScheduledJobs\\ansible-win-updates")) and
not (file.name : "Microsoft Office 1? Sync Maintenance for *" and file.size >= 5200 and file.size <= 5300 and
Effective_process.name : ("winword.exe", "excel.exe", "powerpnt.exe")) and
not (file.name : "OneDrive Standalone Update Task-S-1-5-21-*" and Effective_process.executable : "\\Device\\Mup\\*")
] by Effective_process.entity_id
'''
min_endpoint_version = "8.4.0"
[[actions]]
action = "kill_process"
field = "process.entity_id"
state = 0
[[optional_actions]]
action = "rollback"
field = "process.entity_id"
state = 0
[[threat]]
framework = "MITRE ATT&CK"
[[threat.technique]]
id = "T1053"
name = "Scheduled Task/Job"
reference = "https://attack.mitre.org/techniques/T1053/"
[[threat.technique.subtechnique]]
id = "T1053.005"
name = "Scheduled Task"
reference = "https://attack.mitre.org/techniques/T1053/005/"
[threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[internal]
min_endpoint_version = "8.4.0"