Suspicious Scheduled Task Creation

calendar Aug 12, 2024 · attack.execution attack.privilege-escalation attack.persistence attack.t1053.005  ·
Share on: linkedin copy

Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.

Sigma rule (View on GitHub)

 1title: Suspicious Scheduled Task Creation
 2id: 3a734d25-df5c-4b99-8034-af1ddb5883a4
 3status: test
 4description: Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.
 5references:
 6    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022-12-05
 9modified: 2022-12-07
10tags:
11    - attack.execution
12    - attack.privilege-escalation
13    - attack.persistence
14    - attack.t1053.005
15logsource:
16    product: windows
17    service: security
18    definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.'
19detection:
20    selection_eid:
21        EventID: 4698
22    selection_paths:
23        TaskContent|contains:
24            - '\AppData\Local\Temp\'
25            - '\AppData\Roaming\'
26            - '\Users\Public\'
27            - '\WINDOWS\Temp\'
28            - 'C:\Temp\'
29            - '\Desktop\'
30            - '\Downloads\'
31            - '\Temporary Internet'
32            - 'C:\ProgramData\'
33            - 'C:\Perflogs\'
34    selection_commands:
35        TaskContent|contains:
36            - 'regsvr32'
37            - 'rundll32'
38            - 'cmd.exe</Command>'
39            - 'cmd</Command>'
40            - '<Arguments>/c '
41            - '<Arguments>/k '
42            - '<Arguments>/r '
43            - 'powershell'
44            - 'pwsh'
45            - 'mshta'
46            - 'wscript'
47            - 'cscript'
48            - 'certutil'
49            - 'bitsadmin'
50            - 'bash.exe'
51            - 'bash '
52            - 'scrcons'
53            - 'wmic '
54            - 'wmic.exe'
55            - 'forfiles'
56            - 'scriptrunner'
57            - 'hh.exe'
58    condition: all of selection_*
59falsepositives:
60    - Unknown
61level: high

References

Related rules

to-top