Schtasks From Suspicious Folders

calendar Aug 12, 2024 · attack.execution attack.t1053.005  ·
Share on: linkedin copy

Detects scheduled task creations that have suspicious action command and folder combinations

Sigma rule (View on GitHub)

 1title: Schtasks From Suspicious Folders
 2id: 8a8379b8-780b-4dbf-b1e9-31c8d112fefb
 3status: test
 4description: Detects scheduled task creations that have suspicious action command and folder combinations
 5references:
 6    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical
 7author: Florian Roth (Nextron Systems)
 8date: 2022-04-15
 9modified: 2022-11-18
10tags:
11    - attack.execution
12    - attack.t1053.005
13logsource:
14    product: windows
15    category: process_creation
16detection:
17    selection_img:
18        - Image|endswith: '\schtasks.exe'
19        - OriginalFileName: 'schtasks.exe'
20    selection_create:
21        CommandLine|contains: ' /create '
22    selection_command:
23        CommandLine|contains:
24            - 'powershell'
25            - 'pwsh'
26            - 'cmd /c '
27            - 'cmd /k '
28            - 'cmd /r '
29            - 'cmd.exe /c '
30            - 'cmd.exe /k '
31            - 'cmd.exe /r '
32    selection_all_folders:
33        CommandLine|contains:
34            - 'C:\ProgramData\'
35            - '%ProgramData%'
36    condition: all of selection_*
37falsepositives:
38    - Unknown
39level: high

References

Related rules

to-top