Windows Scheduled Task Create Shell (RedCanary Threat Detection Report)
Detects attempts to establish persistence using schtasks and command shell. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Windows Scheduled Task Create Shell (RedCanary Threat Detection Report)
2id: a916cc1b-7f0e-46b4-9c77-c80b1f2ba26b
3status: experimental
4description: Detects attempts to establish persistence using schtasks and command shell. Part of the RedCanary 2023 Threat Detection Report.
5references:
6 - https://redcanary.com/threat-detection-report/techniques/windows-command-shell/
7author: RedCanary, Sigma formatting by Micah Babinski
8date: 2023/05/10
9tags:
10 - attack.execution
11 - attack.t1059.003
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 Image|endswith: '\schtasks.exe'
18 CommandLine|contains|windash:
19 - 'create'
20 - 'cmd'
21 - '/c'
22 condition: selection
23falsepositives:
24 - Unknown
25level: low```
References
-
Windows Command Shell is a favorite among adversaries because it can call on any executable on the system to execute batch files and more.
Read More
Related rules
- Command Shell Bypassing Security Controls (RedCanary Threat Detection Report)
- Command Shell Obfuscated Commands (RedCanary Threat Detection Report)
- Command Shell Suspicious Process Ancestry (RedCanary Threat Detection Report)
- Explorer Spawning CMD With Start/Exit Commands (RedCanary Threat Detection Report)
- Service Control Manager Spawning Command Shell (RedCanary Threat Detection Report)