Tasks Folder Evasion

Severity: high
Author: Sreeman
Source: upstream

The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1574.001` Hijack Execution Flow: DLL
Privilege Escalation	`T1574.001` Hijack Execution Flow: DLL
Defense Evasion	`T1574.001` Hijack Execution Flow: DLL

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation
Security-Auditing	4688	A new process has been created.

Stages and Predicates

Stage 1: `all of selection1`

or:
CommandLine|contains: 'copy '
CommandLine|contains: 'echo '
CommandLine|contains: 'file createnew'
CommandLine|contains: 'type '

Stage 2: `all of selection2`

or:
CommandLine|contains: ' C:\Windows\SysWow64\Tasks\'
CommandLine|contains: ' C:\Windows\System32\Tasks\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`C:\Windows\SysWow64\Tasks\` `C:\Windows\System32\Tasks\` `copy` corpus 11 (sigma 11) `echo` corpus 2 (sigma 2) `file createnew` corpus 2 (sigma 2) `type` corpus 6 (sigma 6)