Find sigma rule

Attack: Masquerading: Masquerade Task or Service

Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description.(Citation: TechNet Schtasks)(Citation: Systemd Service Units) Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.

Tasks or services contain other fields, such as a description, that adversaries may attempt to make appear legitimate.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Fysbis Dr Web Analysis)

MITRE

Tactic

defense-evasion

technique

T1036.004

Test : Creating W32Time similar named service using schtasks

OS

windows

Description:

Creating W32Time similar named service (win32times) using schtasks just like threat actor dubbed “Operation Wocao”

Executor

command_prompt

Sigma Rule

proc_creation_win_apt_wocao.yml (id: 1cfac73c-be78-4f9a-9b08-5bde0c3953ab)
proc_creation_win_schtasks_creation.yml (id: 92626ddd-662c-49e3-ac59-f6535f12d189)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test