eq_0005 — 2 rules with the same canonical form

Vendors: sigma (2). Stage count: 5. Correlation shape: single_event.

Members

Sigma Scheduled Task Executing Payload from Registry events 1
Sigma Scheduled Task Executing Encoded Payload from Registry events 1

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1053.005` Scheduled Task/Job: Scheduled Task, `T1059.001` Command and Scripting Interpreter: PowerShell
Persistence	`T1053.005` Scheduled Task/Job: Scheduled Task
Privilege Escalation	`T1053.005` Scheduled Task/Job: Scheduled Task

Stages and predicates (per member)

Each member's stage rendered in its own native syntax (verbatim source where the IR captures it; falls back to the synthesised native form for the few stage types whose source segments aren't recoverable).

Scheduled Task Executing Payload from Registry — stage 1 `all of selection_img`

or:
Image|endswith: '\schtasks.exe'
OriginalFileName: schtasks.exe

Scheduled Task Executing Payload from Registry — stage 2 `all of selection_cli_create`

CommandLine|contains: '/Create'

Scheduled Task Executing Payload from Registry — stage 3 `all of selection_cli_get`

or:
CommandLine|contains: ' gp '
CommandLine|contains: Get-ItemProperty

Scheduled Task Executing Payload from Registry — stage 4 `all of selection_cli_hive`

or:
CommandLine|contains: 'HKCU:'
CommandLine|contains: HKEY_
CommandLine|contains: 'HKLM:'
CommandLine|contains: 'registry::'

Scheduled Task Executing Payload from Registry — stage 5 `not 1 of filter_main_encoding`

or:
CommandLine|contains: FromBase64String
CommandLine|contains: encodedcommand

Scheduled Task Executing Encoded Payload from Registry — stage 6 `all of selection_img`

or:
Image|endswith: '\schtasks.exe'
OriginalFileName: schtasks.exe

Scheduled Task Executing Encoded Payload from Registry — stage 7 `all of selection_cli_create`

CommandLine|contains: '/Create'

Scheduled Task Executing Encoded Payload from Registry — stage 8 `all of selection_cli_encoding`

or:
CommandLine|contains: FromBase64String
CommandLine|contains: encodedcommand

Scheduled Task Executing Encoded Payload from Registry — stage 9 `all of selection_cli_get`

or:
CommandLine|contains: ' gp '
CommandLine|contains: Get-ItemProperty

Scheduled Task Executing Encoded Payload from Registry — stage 10 `all of selection_cli_hive`

or:
CommandLine|contains: 'HKCU:'
CommandLine|contains: HKEY_
CommandLine|contains: 'HKLM:'
CommandLine|contains: 'registry::'

Indicators (across all members)

Field	Kind	Value	Members	Corpus
`CommandLine`	match	`gp`	2	2
`CommandLine`	match	`/Create`	2	4
`CommandLine`	match	`FromBase64String`	2	7
`CommandLine`	match	`Get-ItemProperty`	2	2
`CommandLine`	match	`HKCU:`	2	2
`CommandLine`	match	`HKEY_`	2	2
`CommandLine`	match	`HKLM:`	2	2
`CommandLine`	match	`encodedcommand`	2	2
`CommandLine`	match	`registry::`	2	2
`Image`	ends_with	`\schtasks.exe`	2	45
`OriginalFileName`	eq	`schtasks.exe`	2	14

eq_0005 — 2 rules with the same canonical form

Members

MITRE ATT&CK coverage

Stages and predicates (per member)

Scheduled Task Executing Payload from Registry — stage 1 all of selection_img

Scheduled Task Executing Payload from Registry — stage 2 all of selection_cli_create

Scheduled Task Executing Payload from Registry — stage 3 all of selection_cli_get

Scheduled Task Executing Payload from Registry — stage 4 all of selection_cli_hive

Scheduled Task Executing Payload from Registry — stage 5 not 1 of filter_main_encoding

Scheduled Task Executing Encoded Payload from Registry — stage 6 all of selection_img

Scheduled Task Executing Encoded Payload from Registry — stage 7 all of selection_cli_create

Scheduled Task Executing Encoded Payload from Registry — stage 8 all of selection_cli_encoding

Scheduled Task Executing Encoded Payload from Registry — stage 9 all of selection_cli_get

Scheduled Task Executing Encoded Payload from Registry — stage 10 all of selection_cli_hive