Scheduled Task Creation Via Schtasks.EXE

Aug 12, 2024 · attack.execution attack.persistence attack.privilege-escalation attack.t1053.005 attack.s0111 car.2013-08-001 stp.1u ·

Share on:

Detects the creation of scheduled tasks by user accounts via the "schtasks" utility.

Sigma rule (View on GitHub)

 1title: Scheduled Task Creation Via Schtasks.EXE
 2id: 92626ddd-662c-49e3-ac59-f6535f12d189
 3status: test
 4description: Detects the creation of scheduled tasks by user accounts via the "schtasks" utility.
 5references:
 6    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create
 7author: Florian Roth (Nextron Systems)
 8date: 2019-01-16
 9modified: 2024-01-18
10tags:
11    - attack.execution
12    - attack.persistence
13    - attack.privilege-escalation
14    - attack.t1053.005
15    - attack.s0111
16    - car.2013-08-001
17    - stp.1u
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection:
23        Image|endswith: '\schtasks.exe'
24        CommandLine|contains: ' /create '
25    filter_main_system_user:
26        User|contains: # covers many language settings
27            - 'AUTHORI'
28            - 'AUTORI'
29    condition: selection and not 1 of filter_main_*
30falsepositives:
31    - Administrative activity
32    - Software installation
33level: low

References

schtasks create

Reference article for the schtasks create command to automate tasks.

Read More

Scheduled Task Creation Via Schtasks.EXE

Sigma rule (View on GitHub)

References

schtasks create

Related rules