From 3511c59121e773119ce627597eb84ad4303f7ddf Mon Sep 17 00:00:00 2001 From: Ming Di Leom <2809763-curben@users.noreply.gitlab.com> Date: Sun, 3 Aug 2025 07:59:32 +0000 Subject: [PATCH] refactor(unusual-schtasks): combine alerts --- source/threat-hunting/index.md | 3 +-- source/threat-hunting/unusual-scheduled-task.md | 6 +++--- ...indows-script-executed-from-scheduled-task.md | 16 ---------------- 3 files changed, 4 insertions(+), 21 deletions(-) delete mode 100644 source/threat-hunting/windows-script-executed-from-scheduled-task.md diff --git a/source/threat-hunting/index.md b/source/threat-hunting/index.md index d216c52..9ef5a06 100644 --- a/source/threat-hunting/index.md +++ b/source/threat-hunting/index.md @@ -2,7 +2,7 @@ title: Splunk Threat Hunting layout: page date: 2025-01-15 -updated: 2025-07-27 +updated: 2025-08-03 --- - [Generate ad_users.csv](ldap-ad-users) @@ -124,6 +124,5 @@ updated: 2025-07-27 - [Windows Firewall Modification](windows-firewall-modification) - [Windows JScript execution](windows-jscript-execution) - [Windows Sandbox execution](windows-sandbox-execution) -- [Windows Script Executed from Scheduled Task](windows-script-executed-from-scheduled-task) - [Windows Script Executed from ZIP](windows-script-executed-from-zip) - [WinRAR Spawning Shell Application](winrar-spawning-shell-application) diff --git a/source/threat-hunting/unusual-scheduled-task.md b/source/threat-hunting/unusual-scheduled-task.md index 9b9f95b..ddaef6d 100644 --- a/source/threat-hunting/unusual-scheduled-task.md +++ b/source/threat-hunting/unusual-scheduled-task.md @@ -2,14 +2,14 @@ title: Unusual Scheduled Task layout: page date: 2025-07-27 +updated: 2025-08-03 --- -Description: A new scheduled task is created with minutely interval or with highest run level. -References: [1](https://blog.talosintelligence.com/gophish-powerrat-dcrat/#threat-actor-delivers-dcrat) +Description: [Minutely interval or with highest run level](https://blog.talosintelligence.com/gophish-powerrat-dcrat/#threat-actor-delivers-dcrat), [wscript/cscript](https://redcanary.com/blog/threat-intelligence/intelligence-insights-may-2024/) SPL: ```spl -| tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Endpoint.Processes WHERE index="windows" Processes.process_name="schtasks.exe" Processes.process IN ("*minute*", "*highest*") BY index, host, Processes.signature_id, Processes.signature, Processes.parent_process, Processes.process, Processes.user, _time span=1s +| tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Endpoint.Processes WHERE index="windows" Processes.process_name="schtasks.exe" (Processes.process IN ("*minute*", "*highest*") OR (Processes.process="*create*" Processes.process IN ("*wscript*", "*cscript*"))) BY index, host, Processes.signature_id, Processes.signature, Processes.parent_process, Processes.process, Processes.user, _time span=1s | rename Processes.* AS *, signature_id AS EventCode, signature AS EventDescription | eval Time = strftime(_time, "%Y-%m-%d %H:%M:%S %z") | lookup ad_users sAMAccountName AS user OUTPUT displayName AS Name, mail AS Email diff --git a/source/threat-hunting/windows-script-executed-from-scheduled-task.md b/source/threat-hunting/windows-script-executed-from-scheduled-task.md deleted file mode 100644 index fd845c7..0000000 --- a/source/threat-hunting/windows-script-executed-from-scheduled-task.md +++ /dev/null @@ -1,16 +0,0 @@ ---- -title: Windows Script Executed from Scheduled Task -layout: page -date: 2025-07-27 ---- - -References: [1](https://redcanary.com/blog/threat-intelligence/intelligence-insights-may-2024/) -SPL: - -```spl -| tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Endpoint.Processes WHERE index="windows" Processes.process_name="schtasks.exe" Processes.process="*create*" Processes.process IN ("*wscript*", "*cscript*") BY index, host, Processes.signature_id, Processes.signature, Processes.parent_process, Processes.process, Processes.user, _time span=1s -| rename Processes.* AS *, signature_id AS EventCode, signature AS EventDescription -| eval Time = strftime(_time, "%Y-%m-%d %H:%M:%S %z") -| lookup ad_users sAMAccountName AS user OUTPUT displayName AS Name, mail AS Email -| table Time, index, host, EventCode, EventDescription, parent_process, process, user, Name, Email -```