Emerging Threathightest

Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor

Hunts for known SVR-specific scheduled task names

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

CISACreated Mon Dec 188fa65166-f463-4fd2-ad4f-1436133c52e12023

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

Windowssecurity

ProductWindows← raw: windows

Servicesecurity← raw: security

Detection Logic

detection:
    selection:
        EventID:
            - 4698
            - 4699
            - 4702
        TaskName:
            - '\defender'
            - '\Microsoft\DefenderService'
            - '\Microsoft\Windows\Application Experience\StartupAppTaskCheck'
            - '\Microsoft\Windows\Application Experience\StartupAppTaskCkeck'
            - '\Microsoft\Windows\ATPUpd'
            - '\Microsoft\Windows\Data Integrity Scan\Data Integrity Update'
            - '\Microsoft\Windows\DefenderUPDService'
            - '\Microsoft\Windows\IISUpdateService'
            - '\Microsoft\Windows\Speech\SpeechModelInstallTask'
            - '\Microsoft\Windows\WiMSDFS'
            - '\Microsoft\Windows\Windows Defender\Defender Update Service'
            - '\Microsoft\Windows\Windows Defender\Service Update'
            - '\Microsoft\Windows\Windows Error Reporting\CheckReporting'
            - '\Microsoft\Windows\Windows Error Reporting\SubmitReporting'
            - '\Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStart'
            - '\Microsoft\Windows\WindowsDefenderService'
            - '\Microsoft\Windows\WindowsDefenderService2'
            - '\Microsoft\Windows\WindowsUpdate\Scheduled AutoCheck'
            - '\Microsoft\Windows\WindowsUpdate\Scheduled Check'
            - '\WindowUpdate'
    condition: selection