T1053.005 Diamond Sleet APT Scheduled Task Creation Registry

T1053.005 - Diamond Sleet APT Scheduled Task Creation - Registry

DESCRIPTION

Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability

Example:

Forest64.exe create a scheduled task named 'Windows TeamCity Settings User Interface'

Related

• Ransomware
• Diamond Sleet APT

Reference:

https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/

ATT&CK TACTICS

T1562 - Impair Defenses
T1053.005 - Scheduled Task/Job: Scheduled Task

Data Source(s): Windows Registry

SENTINEL RULE QUERY

let selection = dynamic([@'\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\','Windows TeamCity Settings User Interface']);
DeviceRegistryEvents
| where ActionType == "RegistryKeyCreated"
| where RegistryKey has_all (selection) 

Triage

1. Verify the parent process creating the registry key
2. Determine whether the behavior is normal in agency's environment

FalsePositive

Unknown, highly specific detection

VERSION

Version 1.0 (date: 19/12/2023)