Phoenix
Sigma IntelligenceBeta
Back to Rules
Emerging Threathightest

Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler

Hunts for known SVR-specific scheduled task names

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
CISACreated Mon Dec 182bfc1373-0220-4fbd-8b10-33ddafd2a1422023
Emerging Threat
Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source
Windowstaskscheduler
ProductWindows← raw: windows
Servicetaskscheduler← raw: taskscheduler

Definition

Requirements: The "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and needs to be enabled in order for this detection to trigger

Detection Logic
Detection Logic1 selector
detection:
    selection:
        EventID:
            - 129 # Task Created
            - 140 # Task Updated
            - 141 # Task Deleted
        TaskName:
            - '\defender'
            - '\Microsoft\DefenderService'
            - '\Microsoft\Windows\Application Experience\StartupAppTaskCheck'
            - '\Microsoft\Windows\Application Experience\StartupAppTaskCkeck'
            - '\Microsoft\Windows\ATPUpd'
            - '\Microsoft\Windows\Data Integrity Scan\Data Integrity Update'
            - '\Microsoft\Windows\DefenderUPDService'
            - '\Microsoft\Windows\IISUpdateService'
            - '\Microsoft\Windows\Speech\SpeechModelInstallTask'
            - '\Microsoft\Windows\WiMSDFS'
            - '\Microsoft\Windows\Windows Defender\Defender Update Service'
            - '\Microsoft\Windows\Windows Defender\Service Update'
            - '\Microsoft\Windows\Windows Error Reporting\CheckReporting'
            - '\Microsoft\Windows\Windows Error Reporting\SubmitReporting'
            - '\Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStart'
            - '\Microsoft\Windows\WindowsDefenderService'
            - '\Microsoft\Windows\WindowsDefenderService2'
            - '\Microsoft\Windows\WindowsUpdate\Scheduled AutoCheck'
            - '\Microsoft\Windows\WindowsUpdate\Scheduled Check'
            - '\WindowUpdate'
    condition: selection
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
cisa.gov
MITRE ATT&CK

Other

detection.emerging-threats
Related Rules
SimilarEmerging Threathigh

Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor

Hunts for known SVR-specific scheduled task names

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
2bfc1373-0220-4fbd-8b10-33ddafd2a142
Status
test
Level
high
Type
Emerging Threat
Created
Mon Dec 18
Author
CISA
Path
rules-emerging-threats/2023/TA/Cozy-Bear/win_taskscheduler_apt_cozy_bear_graphical_proton_task_names.yml
Raw Tags
attack.persistencedetection.emerging-threats
View on GitHub