Schtasks From Suspicious Folders

calendar Oct 23, 2025 · attack.privilege-escalation attack.persistence attack.execution attack.t1053.005  ·
Share on: linkedin copy

Detects scheduled task creations that have suspicious action command and folder combinations

Sigma rule (View on GitHub)

 1title: Schtasks From Suspicious Folders
 2id: 8a8379b8-780b-4dbf-b1e9-31c8d112fefb
 3status: test
 4description: Detects scheduled task creations that have suspicious action command and folder combinations
 5references:
 6    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical
 7author: Florian Roth (Nextron Systems)
 8date: 2022-04-15
 9modified: 2022-11-18
10tags:
11    - attack.privilege-escalation
12    - attack.persistence
13    - attack.execution
14    - attack.t1053.005
15logsource:
16    product: windows
17    category: process_creation
18detection:
19    selection_img:
20        - Image|endswith: '\schtasks.exe'
21        - OriginalFileName: 'schtasks.exe'
22    selection_create:
23        CommandLine|contains: ' /create '
24    selection_command:
25        CommandLine|contains:
26            - 'powershell'
27            - 'pwsh'
28            - 'cmd /c '
29            - 'cmd /k '
30            - 'cmd /r '
31            - 'cmd.exe /c '
32            - 'cmd.exe /k '
33            - 'cmd.exe /r '
34    selection_all_folders:
35        CommandLine|contains:
36            - 'C:\ProgramData\'
37            - '%ProgramData%'
38    condition: all of selection_*
39falsepositives:
40    - Unknown
41level: high

References

Related rules

to-top