Suspicious Add Scheduled Task Parent
Detects suspicious scheduled task creations from a parent stored in a temporary folder
Sigma rule (View on GitHub)
1title: Suspicious Add Scheduled Task Parent
2id: 9494479d-d994-40bf-a8b1-eea890237021
3status: test
4description: Detects suspicious scheduled task creations from a parent stored in a temporary folder
5references:
6 - https://app.any.run/tasks/649e7b46-9bec-4d05-98a5-dfa9a13eaae5/
7author: Florian Roth (Nextron Systems)
8date: 2022/02/23
9modified: 2022/06/02
10tags:
11 - attack.execution
12 - attack.t1053.005
13logsource:
14 product: windows
15 category: process_creation
16detection:
17 selection:
18 Image|endswith: '\schtasks.exe'
19 CommandLine|contains: '/Create '
20 ParentImage|contains:
21 - '\AppData\Local\'
22 - '\AppData\Roaming\'
23 - '\Temporary Internet'
24 - '\Users\Public\'
25 filter:
26 CommandLine|contains:
27 - 'update_task.xml'
28 - 'unattended.ini'
29 condition: selection and not 1 of filter*
30falsepositives:
31 - Software installers that run from temporary folders and also install scheduled tasks
32level: medium
References
Related rules
- Schtasks From Suspicious Folders
- Suspicious Modification Of Scheduled Tasks
- Suspicious Scheduled Task Creation
- Suspicious Scheduled Task Name As GUID
- Suspicious Scheduled Task Update