From: A flexible approach for cyber threat hunting based on kernel audit records
proc.cmdLine | |
---|---|
1 | “schtasks.exe” |
2 | “schtasks.exe/change/tn ‘Microsoft/Office/Office Automatic Updates’/enable” |
3 | “schtasks.exe/change/tn ‘Microsoft/Office/Office ClickToRun Service Monitor’/enable” |
4 | “schtasks/create/tn WindowsUpdate/tr ‘powershell -nop -ep bypass -encodedCommand KABOAGUAdwAtAE8AYqYwB0A···YAIAAt”’ |
5 | “schtasks/create/tn WindowsUpdate-tr ‘powershell.exe -nop -ep Bypass -encodedCommand KABOAGUAdwAtAEYUAYwB0A···AuADY”’ |