
Summary
This detection rule identifies potentially malicious activity involving the Windows Task Scheduler (schtasks.exe) where a task is created to execute a base64 encoded payload. The rule captures instances where the creation command for a scheduled task includes references to PowerShell commands that manipulate registry keys to extract encoded data. This is indicative of attempts to execute unauthorized scripts or binaries encoded in a way to obfuscate their true nature from detection mechanisms. The condition for triggering the alert is met when all specified selection criteria regarding process creation align. It addresses a significant threat vector associated with persistence mechanisms used by attackers, particularly when creating tasks that utilize encoded commands from the registry.
Categories
- Windows
- Endpoint
Data Sources
- Scheduled Job
- Process
Created: 2022-02-12