ET HUNTING Windows Scheduled Task XML Response from Server

SID: 2051514Rev: 114 views
History
Sourceet/open
CreatedMarch 6, 2024
UpdatedMarch 6, 2024
Classificationbad-unknown
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Windows Scheduled Task XML Response from Server"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|3c 3f|xml version|3d 22|1.0|22 3f 3e|"; startswith; content:"|3c|Task|20|"; within:8; content:"xmlns|3d 22|http|3a 2f 2f|schemas.microsoft.com|2f|windows|2f|2004|2f|02|2f|mit|2f|task|22 3e|"; fast_pattern; within:76; content:"|3c|RegistrationInfo|3e|"; distance:0; content:"|3c|Triggers|3e|"; distance:0; content:"|3c|Exec|3e|"; reference:url,learn.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml-; reference:md5,10f4479d5f531def842a712277ae9611; classtype:bad-unknown; sid:2051514; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Windows_11, attack_target Client_and_Server, tls_state plaintext, created_at 2024_03_06, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Scheduled_Task_Payload_Delivery, updated_at 2024_03_06; target:dest_ip;)

References

urllearn.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml-
md5
10f4479d5f531def842a712277ae9611
Google SearchBrave Search

Metadata

affected productWindows_11
attack targetClient_and_Server
tls stateplaintext
created at2024_03_06
deploymentSSLDecrypt
performance impactLow
confidenceHigh
signature severityMajor
tagScheduled_Task_Payload_Delivery
updated at2024_03_06

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!