Suspicious Scheduled Task Creation Involving Temp Folder
Detects the creation of scheduled tasks that involves a temporary folder and runs only once
Sigma rule (View on GitHub)
1title: Suspicious Scheduled Task Creation Involving Temp Folder
2id: 39019a4e-317f-4ce3-ae63-309a8c6b53c5
3status: test
4description: Detects the creation of scheduled tasks that involves a temporary folder and runs only once
5references:
6 - https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3
7author: Florian Roth (Nextron Systems)
8date: 2021/03/11
9modified: 2022/10/09
10tags:
11 - attack.execution
12 - attack.persistence
13 - attack.t1053.005
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 Image|endswith: '\schtasks.exe'
20 CommandLine|contains|all:
21 - ' /create '
22 - ' /sc once '
23 - '\Temp\'
24 condition: selection
25fields:
26 - CommandLine
27 - ParentCommandLine
28falsepositives:
29 - Administrative activity
30 - Software installation
31level: high
References
Related rules
- Scheduled task executing powershell encoded payload from registry
- Windows Scheduled Task Behaving Improperly or Suspiciously
- Windows Scheduled Task Create Shell
- Windows Scheduled Task Making Suspicious Network Connection
- Scheduled task executing powershell encoded payload from registry