Merge pull request #958 from nterl0k/nterl0k-t1053-windows-suspicious-task-lookups

patel-bhavin · web-flow · commit 4eea3c5891c4 · 2025-02-18T12:51:00.000-08:00
Nterl0k - T1053 Windows Suspicious Task Lookup
diff --git a/datasets/attack_techniques/T1053.005/winevent_scheduled_task_with_suspect_name/windows-xml.log b/datasets/attack_techniques/T1053.005/winevent_scheduled_task_with_suspect_name/windows-xml.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4af0e2d1b8dfae2e6e7cd18dcb85db50a028effc8d46f9fe3cfc21b633b2e6c0
+size 3373
diff --git a/datasets/attack_techniques/T1053.005/winevent_scheduled_task_with_suspect_name/windows-xml.yml b/datasets/attack_techniques/T1053.005/winevent_scheduled_task_with_suspect_name/windows-xml.yml
@@ -0,0 +1,14 @@
+author: Steven Dick
+id: ea908665-bc39-4493-a20a-041543ba4f3b
+date: '2025-01-28'
+description: 'A sample event with a known malicous Task Name.'
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/winevent_scheduled_task_with_suspect_name/windows-xml.log
+sourcetypes:
+- XmlWinEventLog
+references:
+- https://attack.mitre.org/techniques/T1053/005/
+- https://www.ic3.gov/CSA/2023/231213.pdf
+- https://news.sophos.com/en-us/2024/11/06/bengal-cat-lovers-in-australia-get-psspsspssd-in-google-driven-gootloader-campaign/
+- https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_windows_tasks_list.csv

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:4af0e2d1b8dfae2e6e7cd18dcb85db50a028effc8d46f9fe3cfc21b633b2e6c0`
	`3`	`+size 3373`