Detectionmediumtest

Remote Task Creation via ATSVC Named Pipe

Detects remote task creation via at.exe or API interacting with ATSVC namedpipe

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Samir BousseadenCreated Wed Apr 03Updated Thu Aug 01f6de6525-4509-495a-8a82-1f8b0ed73a00windows

Log Source

Windowssecurity

ProductWindows← raw: windows

Servicesecurity← raw: security

Definition

The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure

Detection Logic

detection:
    selection:
        EventID: 5145
        ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
        RelativeTargetName: atsvc
        AccessList|contains: 'WriteData'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

web.archive.org

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0002 · Execution TA0008 · Lateral Movement TA0003 · Persistence

Sub-techniques

T1053.002 · At

CAR Analytics

2013-05-004 · CAR 2013-05-0042015-04-001 · CAR 2015-04-001

Rule Metadata

Rule ID

f6de6525-4509-495a-8a82-1f8b0ed73a00

Status

test

Level

medium

Type

Detection

Created

Wed Apr 03

Modified

Thu Aug 01

Author

Samir Bousseaden

Path

rules/windows/builtin/security/win_security_atsvc_task.yml

Raw Tags

attack.privilege-escalationattack.executionattack.lateral-movementattack.persistencecar.2013-05-004car.2015-04-001attack.t1053.002

View on GitHub