Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Remote Schedule Task Lateral Movement via ITaskSchedulerService

Detects remote RPC calls to create or execute a scheduled task

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Sagie Dulce, Dekel PazCreated Sat Jan 01ace3ff54-e7fd-46bd-8ea0-74b49a0aca1dapplication
Log Source
rpc_firewallapplication
Productrpc_firewall← raw: rpc_firewall
Categoryapplication← raw: application

Definition

Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:86d35949-83c9-4044-b424-db363231fd0c"

Detection Logic
Detection Logic1 selector
detection:
    selection:
        EventLog: RPCFW
        EventID: 3
        InterfaceUuid: 86d35949-83c9-4044-b424-db363231fd0c
        OpNum:
            - 1
            - 3
            - 4
            - 10
            - 11
            - 12
            - 13
            - 14
            - 15
    condition: selection
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
learn.microsoft.com
2
Resolving title…
github.com
3
Resolving title…
github.com
4
Resolving title…
zeronetworks.com
MITRE ATT&CK

Sub-techniques

T1053.002 · At
Rule Metadata
Rule ID
ace3ff54-e7fd-46bd-8ea0-74b49a0aca1d
Status
test
Level
high
Type
Detection
Created
Sat Jan 01
Author
Sagie Dulce, Dekel Paz
Path
rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.executionattack.lateral-movementattack.t1053attack.t1053.002
View on GitHub