Windows Scheduled Task Create Shell (RedCanary Threat Detection Report)

 1title: Windows Scheduled Task Create Shell (RedCanary Threat Detection Report)
 2id: a916cc1b-7f0e-46b4-9c77-c80b1f2ba26b
 3status: experimental
 4description: Detects attempts to establish persistence using schtasks and command shell. Part of the RedCanary 2023 Threat Detection Report.
 5references:
 6    - https://redcanary.com/threat-detection-report/techniques/windows-command-shell/
 7author: RedCanary, Sigma formatting by Micah Babinski
 8date: 2023/05/10
 9tags:
10    - attack.execution
11    - attack.t1059.003
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection:
17        Image|endswith: '\schtasks.exe'
18        CommandLine|contains|windash:
19            - 'create'
20            - 'cmd'
21            - '/c'
22    condition: selection
23falsepositives:
24    - Unknown
25level: low```

References

• Red Canary analyzes how Windows Command Shell is used by adversaries

  

  Windows Command Shell is a favorite among adversaries because it can call on any executable on the system to execute batch files and more.

  
  Read More

Related rules

• Command Shell Bypassing Security Controls (RedCanary Threat Detection Report)
• Command Shell Obfuscated Commands (RedCanary Threat Detection Report)
• Command Shell Suspicious Process Ancestry (RedCanary Threat Detection Report)
• Explorer Spawning CMD With Start/Exit Commands (RedCanary Threat Detection Report)
• Service Control Manager Spawning Command Shell (RedCanary Threat Detection Report)