Suspicious Scheduled Task Write to System32 Tasks

calendar Oct 23, 2025 · attack.privilege-escalation attack.persistence attack.execution attack.t1053  ·
Share on: linkedin copy

Detects the creation of tasks from processes executed from suspicious locations

Sigma rule (View on GitHub)

 1title: Suspicious Scheduled Task Write to System32 Tasks
 2id: 80e1f67a-4596-4351-98f5-a9c3efabac95
 3status: test
 4description: Detects the creation of tasks from processes executed from suspicious locations
 5references:
 6    - Internal Research
 7author: Florian Roth (Nextron Systems)
 8date: 2021-11-16
 9modified: 2022-01-12
10tags:
11    - attack.privilege-escalation
12    - attack.persistence
13    - attack.execution
14    - attack.t1053
15logsource:
16    product: windows
17    category: file_event
18detection:
19    selection:
20        TargetFilename|contains: '\Windows\System32\Tasks'
21        Image|contains:
22            - '\AppData\'
23            - 'C:\PerfLogs'
24            - '\Windows\System32\config\systemprofile'
25    condition: selection
26falsepositives:
27    - Unknown
28level: high

References

Related rules

to-top