Windows Scheduled Task Create Shell
Detects creation of scheduled tasks which may establish persistence using the command shell. Inspired by the 2022 Red Canary Threat Detection report.
Sigma rule (View on GitHub)
1title: Windows Scheduled Task Create Shell
2id: eb9d10be-1ece-4241-bc76-d51eadcaf42b
3status: experimental
4description: Detects creation of scheduled tasks which may establish persistence using
5 the command shell. Inspired by the 2022 Red Canary Threat Detection report.
6references:
7 - https://redcanary.com/threat-detection-report/techniques/windows-command-shell/
8author: Micah Babinski
9date: 2022/11/03
10tags:
11 - attack.persistence
12 - attack.execution
13 - attack.t1053
14 - attack.t1053.005
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 Image|endswith: '\schtasks.exe'
21 CommandLine|contains: 'create'
22 CommandLine|contains|all|windash:
23 - '/c'
24 - 'cmd'
25 condition: selection
26falsepositives:
27 - Creation of legitimate scheduled tasks which need to run cmd.
28level: medium```
References
-
Windows Command Shell is a favorite among adversaries because it can call on any executable on the system to execute batch files and more.
Read More
Related rules
- Windows Scheduled Task Behaving Improperly or Suspiciously
- Windows Scheduled Task Making Suspicious Network Connection
- Scheduled task executing powershell encoded payload from registry
- Command Shell Unusual or Suspicious Process Ancestry
- Persistence and Execution at Scale via GPO Scheduled Task