Suspicious Modification Of Scheduled Tasks

calendar Aug 12, 2024 · attack.execution attack.t1053.005  ·
Share on: linkedin copy

Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location Attackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on Instead they modify the task after creation to include their malicious payload

Sigma rule (View on GitHub)

 1title: Suspicious Modification Of Scheduled Tasks
 2id: 1c0e41cd-21bb-4433-9acc-4a2cd6367b9b
 3related:
 4    - id: 614cf376-6651-47c4-9dcc-6b9527f749f4 # Security-Audting Eventlog
 5      type: similar
 6status: test
 7description: |
 8    Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location
 9    Attackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on
10    Instead they modify the task after creation to include their malicious payload    
11references:
12    - Internal Research
13    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks
14author: Nasreddine Bencherchali (Nextron Systems)
15date: 2022-07-28
16modified: 2022-11-18
17tags:
18    - attack.execution
19    - attack.t1053.005
20logsource:
21    product: windows
22    category: process_creation
23detection:
24    selection_schtasks:
25        Image|endswith: '\schtasks.exe'
26        CommandLine|contains|all:
27            - ' /Change '
28            - ' /TN '
29    selection_susp_locations:
30        CommandLine|contains:
31            - '\AppData\Local\Temp'
32            - '\AppData\Roaming\'
33            - '\Users\Public\'
34            - '\WINDOWS\Temp\'
35            - '\Desktop\'
36            - '\Downloads\'
37            - '\Temporary Internet'
38            - 'C:\ProgramData\'
39            - 'C:\Perflogs\'
40            - '%ProgramData%'
41            - '%appdata%'
42            - '%comspec%'
43            - '%localappdata%'
44    selection_susp_images:
45        CommandLine|contains:
46            - 'regsvr32'
47            - 'rundll32'
48            - 'cmd /c '
49            - 'cmd /k '
50            - 'cmd /r '
51            - 'cmd.exe /c '
52            - 'cmd.exe /k '
53            - 'cmd.exe /r '
54            - 'powershell'
55            - 'mshta'
56            - 'wscript'
57            - 'cscript'
58            - 'certutil'
59            - 'bitsadmin'
60            - 'bash.exe'
61            - 'bash '
62            - 'scrcons'
63            - 'wmic '
64            - 'wmic.exe'
65            - 'forfiles'
66            - 'scriptrunner'
67            - 'hh.exe'
68            - 'hh '
69    condition: all of selection_*
70falsepositives:
71    - Unknown
72level: high

References

  • Internal Research


    Read More

  • schtasks commands

    Reference article for the schtasks commands, which schedules commands and programs to run periodically or at a specific time, adds and removes tasks from the schedule, starts and stops tasks on demand, and displays and changes scheduled tasks.


    Read More

Related rules

to-top