Forest Blizzard APT - Process Creation Activity

Image : 

'\schtasks.exe'

CommandLine : 

- 'Create'

- '/RU'

- 'SYSTEM'

- '\Microsoft\Windows\WinSrv'

 'servtask.bat'

- 'execute.bat'

- 'doit.bat'

- 'Delete'

- '/F '

- '\Microsoft\Windows\WinSrv'

'Get-ChildItem'

- '.save'

 - 'Compress-Archive -DestinationPath C:\ProgramData\'

'6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f'

'c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5'

Detection Query : 

(resourcename = "Windows Security"  AND eventtype = "4688"  ) AND (processname like "\schtasks.exe"  AND (commandline like "Create" and commandline like "/RU" and commandline like "SYSTEM" and commandline like "\Microsoft\Windows\WinSrv") and (commandline like "servtask.bat" or commandline like "execute.bat" or commandline like "doit.bat")) OR (processname like "\schtasks.exe" and (commandline like "Delete" and commandline like "/F" and commandline like "\Microsoft\Windows\WinSrv")) OR (commandline like "Get-ChildItem" and commandline like ".save" and commandline like "Compress-Archive -DestinationPath C:\ProgramData")

Detection Query : 

technologygroup = "EDR"  AND (processname like "\schtasks.exe"  AND (commandline like "Create" and commandline like "/RU" and commandline like "SYSTEM" and commandline like "\Microsoft\Windows\WinSrv") and (commandline like "servtask.bat" or commandline like "execute.bat" or commandline like "doit.bat")) OR (processname like "\schtasks.exe" and (commandline like "Delete" and commandline like "/F" and commandline like "\Microsoft\Windows\WinSrv")) OR (commandline like "Get-ChildItem" and commandline like ".save" and commandline like "Compress-Archive -DestinationPath C:\ProgramData")

Detection Query : 

sha256hash IN ("6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f","c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5")