
Summary
This detection rule identifies potential evasion techniques utilized by adversaries taking advantage of the global writable paths in Windows' Tasks folder (located in System32 and SysWow64). Attackers can manipulate these paths to execute arbitrary scripts or load custom assemblies via common Windows script hosts (e.g., cscript, wscript, regsvr32, mshta, eventvwr) by crafting specific command line inputs. The rule looks for command line execution patterns that include suspicious commands such as 'echo', 'copy', and variations suggesting the creation or manipulation of files, particularly within the Tasks directory. The alert is triggered if the command line executions match the specified criteria, indicating a high confidence that these activities are related to evasion tactics outlined in the ATT&CK framework, specifically under T1574.002.
Categories
- Endpoint
- Windows
Data Sources
- Process
Created: 2020-01-13