Skip to content
This repository has been archived by the owner on Nov 16, 2023. It is now read-only.

Commit

Permalink
Change from AccountName To AccountSid
Browse files Browse the repository at this point in the history 
Since, there is many languages for Windows, there will be different names for SYSTEM user, for instance in Brazil it is called SISTEMA. So, to avoid dependency of string I suggest to change it to SID form AccountSid != "S-1-5-18".
  • Loading branch information
@pasilva-msft
pasilva-msft authored Jan 16, 2020
1 parent 5aa4bb9 commit 1eabadd
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion Persistence/scheduled task creation.txt
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
//Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_schtask_creation.yml
//Questions via Twitter: @janvonkirchheim
DeviceProcessEvents
| where FolderPath endswith "\\schtasks.exe" and ProcessCommandLine has " /create " and AccountName != "system"
| where FolderPath endswith "\\schtasks.exe" and ProcessCommandLine has " /create " and AccountSid != "S-1-5-18"
| where Timestamp > ago(7d)

0 comments on commit 1eabadd

Please sign in to comment.