Windows Scheduled Task Creating Shell
Adversaries frequently establish persistence by using scheduled tasks to launch the Windows Command Shell. Detecting this behavior is relatively straightforward. Part of the RedCanary 2024 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Windows Scheduled Task Creating Shell
2id: 8b1a34e3-c4d6-4af6-9836-35a0da09b85b
3status: experimental
4description: |
5 Adversaries frequently establish persistence by using scheduled tasks to launch
6 the Windows Command Shell. Detecting this behavior is relatively straightforward.
7 Part of the RedCanary 2024 Threat Detection Report.
8references:
9 - https://redcanary.com/threat-detection-report/techniques/windows-command-shell/
10author: RedCanary, Sigma formatting by Micah Babinski
11date: 2024/03/21
12tags:
13 - attack.execution
14 - attack.t1059
15 - attack.t1059.003
16 - attack.t1053
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection1:
22 Image|endswith: '\schtasks.exe'
23 CommandLine|contains: 'create'
24 selection2:
25 CommandLine|contains:
26 - 'cmd.exe /c'
27 - 'cmd /c'
28 condition: all of selection*
29falsepositives:
30 - Unknown
31level: low```
References
-
Windows Command Shell is a favorite among adversaries because it can call on any executable on the system to execute batch files and more.
Read More
Related rules
- Windows Explorer Spawning Command Shell with Start and Exit Commands
- Bypassing Security Controls - Command Shell
- Obfuscated Commands - Command Shell
- Service Control Manager Spawning Command Shell with Suspect Strings
- Unusual or Suspicious Process Ancestry - Command Shell