Emerging Threathightest

Potential ACTINIUM Persistence Activity

Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Andreas HunkelerCreated Mon Feb 07Updated Sat Mar 18e1118a8f-82f5-44b3-bb6b-8a284e5df6022022

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        CommandLine|contains|all:
            - 'schtasks'
            - 'create'
            - 'wscript'
            - ' /e:vbscript'
    condition: selection

False Positives

Unlikely

False positives are unlikely for most environments. High confidence detection.

References

Resolving title…

microsoft.com

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0002 · Execution TA0003 · Persistence

Techniques

T1053 · Scheduled Task/Job

Sub-techniques

T1053.005 · Scheduled Task

Other

detection.emerging-threats

Rule Metadata

Rule ID

e1118a8f-82f5-44b3-bb6b-8a284e5df602

Status

test

Level

high

Type

Emerging Threat

Created

Mon Feb 07

Modified

Sat Mar 18

Author

Andreas Hunkeler

Path

rules-emerging-threats/2022/TA/ACTINIUM/proc_creation_win_apt_actinium_persistence.yml

Raw Tags

attack.privilege-escalationattack.executionattack.persistenceattack.t1053attack.t1053.005detection.emerging-threats

View on GitHub