Emerging Threatmediumtest

Defrag Deactivation - Security

Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Florian Roth (Nextron Systems), Bartlomiej CzyzCreated Mon Mar 04Updated Sun Nov 27c5a178bf-9cfb-4340-b584-e4df39b6a3e72018

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

Windowssecurity

ProductWindows← raw: windows

Servicesecurity← raw: security

Definition

Requirements: Audit Policy : Audit Other Object Access Events > Success

Detection Logic

detection:
    selection:
        EventID: 4701
        TaskName: '\Microsoft\Windows\Defrag\ScheduledDefrag'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

securelist.com

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0002 · Execution TA0003 · Persistence

Techniques

T1053 · Scheduled Task/Job

Software

S0111 · schtasks

Other

detection.emerging-threats

Related Rules

DerivedEmerging Threatmedium

Defrag Deactivation

Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata

Rule ID

c5a178bf-9cfb-4340-b584-e4df39b6a3e7

Status

test

Level

medium

Type

Emerging Threat

Created

Mon Mar 04

Modified

Sun Nov 27

Author

Florian Roth (Nextron Systems), Bartlomiej Czyz

Path

rules-emerging-threats/2018/TA/Slingshot/win_security_apt_slingshot.yml

Raw Tags

attack.privilege-escalationattack.executionattack.persistenceattack.t1053attack.s0111detection.emerging-threats

View on GitHub