Suspicious Schtasks Child Process

Nov 19, 2022 · attack.persistence attack.t1053 attack.t1053.005 ·

Detects schtasks being run as a child process of explorer.exe to create a schedule task.

Sigma rule (View on GitHub)

 1title: Suspicious Schtasks Child Process
 2id: 6470cbb3-a339-40dd-8d0e-250013b86828
 3status: experimental
 4description: Detects schtasks being run as a child process of explorer.exe to create a schedule task.
 5references:
 6    - https://www.trellix.com/en-us/about/newsroom/stories/research/demystifying-qbot-malware.html
 7author: Micah Babinski
 8date: 2022/11/19
 9tags:
10    - attack.persistence
11    - attack.t1053
12    - attack.t1053.005
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        ParentImage|endswith: '\explorer.exe'
19        Image|endswith: '\schtasks.exe'
20        CommandLine|contains|windash:
21            - '/create'
22            - '/ru'
23            - '/sc once'
24            - 'powershell'
25    condition: selection
26falsepositives:
27    - Unknown
28level: high

References

https://www.trellix.com/en-us/about/newsroom/stories/research/demystifying-qbot-malware.html

Read More

Suspicious Schtasks Child Process

Sigma rule (View on GitHub)

References

https://www.trellix.com/en-us/about/newsroom/stories/research/demystifying-qbot-malware.html

Related rules