Windows Scheduled Task Behaving Improperly or Suspiciously
Detects scheduled tasks created with the /create flag and a reference to commonly-abused Windows utilities. Inspired by the 2022 Red Canary Threat Detection report.
Sigma rule (View on GitHub)
1title: Windows Scheduled Task Behaving Improperly or Suspiciously
2id: ccb39be9-ba55-4553-9614-a94e98e58626
3status: experimental
4description: Detects scheduled tasks created with the /create flag and a reference
5 to commonly-abused Windows utilities. Inspired by the 2022 Red Canary Threat Detection
6 report.
7references:
8 - https://redcanary.com/threat-detection-report/techniques/scheduled-task/
9author: Micah Babinski
10date: 2022/11/04
11tags:
12 - attack.persistence
13 - attack.execution
14 - attack.t1053
15 - attack.t1053.005
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 Image|endswith: '\schtasks.exe'
22 CommandLine|contains:
23 - 'cmd.exe'
24 - 'powershell.exe'
25 - 'regsvr32.exe'
26 - 'rundll32.exe'
27 - 'mshta.exe'
28 CommandLine|contains|windash: '/create'
29 condition: selection
30falsepositives:
31 - Creation of legitimate scheduled tasks which need to run cmd or similar utilities.
32level: medium```
References
-
Scheduled tasks allow adversarial persistence and execution behaviors to blend in with activity from native tools and third-party software.
Read More
Related rules
- Windows Scheduled Task Create Shell
- Windows Scheduled Task Making Suspicious Network Connection
- Command Shell Unusual or Suspicious Process Ancestry
- Base64 Encoding in CMD or Powershell
- Chrome Spawned by Powershell with Load-Extension in Command Line