Suspicious Modification Of Scheduled Tasks

calendar Oct 23, 2025 · attack.privilege-escalation attack.persistence attack.execution attack.t1053.005  ·
Share on: linkedin copy

Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location Attackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on Instead they modify the task after creation to include their malicious payload

Sigma rule (View on GitHub)

 1title: Suspicious Modification Of Scheduled Tasks
 2id: 1c0e41cd-21bb-4433-9acc-4a2cd6367b9b
 3related:
 4    - id: 614cf376-6651-47c4-9dcc-6b9527f749f4 # Security-Audting Eventlog
 5      type: similar
 6status: test
 7description: |
 8    Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location
 9    Attackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on
10    Instead they modify the task after creation to include their malicious payload    
11references:
12    - Internal Research
13    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks
14author: Nasreddine Bencherchali (Nextron Systems)
15date: 2022-07-28
16modified: 2022-11-18
17tags:
18    - attack.privilege-escalation
19    - attack.persistence
20    - attack.execution
21    - attack.t1053.005
22logsource:
23    product: windows
24    category: process_creation
25detection:
26    selection_schtasks:
27        Image|endswith: '\schtasks.exe'
28        CommandLine|contains|all:
29            - ' /Change '
30            - ' /TN '
31    selection_susp_locations:
32        CommandLine|contains:
33            - '\AppData\Local\Temp'
34            - '\AppData\Roaming\'
35            - '\Users\Public\'
36            - '\WINDOWS\Temp\'
37            - '\Desktop\'
38            - '\Downloads\'
39            - '\Temporary Internet'
40            - 'C:\ProgramData\'
41            - 'C:\Perflogs\'
42            - '%ProgramData%'
43            - '%appdata%'
44            - '%comspec%'
45            - '%localappdata%'
46    selection_susp_images:
47        CommandLine|contains:
48            - 'regsvr32'
49            - 'rundll32'
50            - 'cmd /c '
51            - 'cmd /k '
52            - 'cmd /r '
53            - 'cmd.exe /c '
54            - 'cmd.exe /k '
55            - 'cmd.exe /r '
56            - 'powershell'
57            - 'mshta'
58            - 'wscript'
59            - 'cscript'
60            - 'certutil'
61            - 'bitsadmin'
62            - 'bash.exe'
63            - 'bash '
64            - 'scrcons'
65            - 'wmic '
66            - 'wmic.exe'
67            - 'forfiles'
68            - 'scriptrunner'
69            - 'hh.exe'
70            - 'hh '
71    condition: all of selection_*
72falsepositives:
73    - Unknown
74level: high

References

  • Internal Research


    Read More

  • schtasks commands

    Reference article for the schtasks commands, which schedules commands and programs to run periodically or at a specific time, adds and removes tasks from the schedule, starts and stops tasks on demand, and displays and changes scheduled tasks.


    Read More

Related rules

to-top