Suspicious Scheduled Task Update

Detects update to a scheduled task event that contain suspicious keywords.

Sigma rule (View on GitHub)

 1title: Suspicious Scheduled Task Update
 2id: 614cf376-6651-47c4-9dcc-6b9527f749f4
 3related:
 4    - id: 1c0e41cd-21bb-4433-9acc-4a2cd6367b9b # ProcCreation schtasks change
 5      type: similar
 6status: test
 7description: Detects update to a scheduled task event that contain suspicious keywords.
 8references:
 9    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022/12/05
12tags:
13    - attack.execution
14    - attack.privilege_escalation
15    - attack.persistence
16    - attack.t1053.005
17logsource:
18    product: windows
19    service: security
20    definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.'
21detection:
22    selection_eid:
23        EventID: 4702
24    selection_paths:
25        TaskContentNew|contains:
26            - '\AppData\Local\Temp\'
27            - '\AppData\Roaming\'
28            - '\Users\Public\'
29            - '\WINDOWS\Temp\'
30            - 'C:\Temp\'
31            - '\Desktop\'
32            - '\Downloads\'
33            - '\Temporary Internet'
34            - 'C:\ProgramData\'
35            - 'C:\Perflogs\'
36    selection_commands:
37        TaskContentNew|contains:
38            - 'regsvr32'
39            - 'rundll32'
40            - 'cmd.exe</Command>'
41            - 'cmd</Command>'
42            - '<Arguments>/c '
43            - '<Arguments>/k '
44            - '<Arguments>/r '
45            - 'powershell'
46            - 'pwsh'
47            - 'mshta'
48            - 'wscript'
49            - 'cscript'
50            - 'certutil'
51            - 'bitsadmin'
52            - 'bash.exe'
53            - 'bash '
54            - 'scrcons'
55            - 'wmic '
56            - 'wmic.exe'
57            - 'forfiles'
58            - 'scriptrunner'
59            - 'hh.exe'
60    condition: all of selection_*
61falsepositives:
62    - Unknown
63level: high

References

Related rules

to-top