Techniques
Sample rules
Scheduled tasks used in BadRabbit ransomware
- source: splunk
- technicques:
- T1053.005
Description
This search looks for flags passed to schtasks.exe on the command-line that indicate that task names related to the execution of Bad Rabbit ransomware were created or deleted. Deprecated because we already have a similar detection
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe (Processes.process= "*create*" OR Processes.process= "*delete*") by Processes.parent_process Processes.process_name Processes.user Processes.dest
| `drop_dm_object_name("Processes")`
| `security_content_ctime(firstTime)`
|`security_content_ctime(lastTime)`
| search (process=*rhaegal* OR process=*drogon* OR *viserion_*)
| `scheduled_tasks_used_in_badrabbit_ransomware_filter`