Suspicious Schtasks Child Process
Detects schtasks being run as a child process of explorer.exe to create a schedule task.
Sigma rule (View on GitHub)
1title: Suspicious Schtasks Child Process
2id: 6470cbb3-a339-40dd-8d0e-250013b86828
3status: experimental
4description: Detects schtasks being run as a child process of explorer.exe to create a schedule task.
5references:
6 - https://www.trellix.com/en-us/about/newsroom/stories/research/demystifying-qbot-malware.html
7author: Micah Babinski
8date: 2022/11/19
9tags:
10 - attack.persistence
11 - attack.t1053
12 - attack.t1053.005
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 ParentImage|endswith: '\explorer.exe'
19 Image|endswith: '\schtasks.exe'
20 CommandLine|contains|windash:
21 - '/create'
22 - '/ru'
23 - '/sc once'
24 - 'powershell'
25 condition: selection
26falsepositives:
27 - Unknown
28level: high
References
Related rules
- Windows Scheduled Task Behaving Improperly or Suspiciously
- Windows Scheduled Task Create Shell
- Windows Scheduled Task Making Suspicious Network Connection
- Persistence and Execution at Scale via GPO Scheduled Task
- Scheduled task executing powershell encoded payload from registry