Suspicious Schtasks Schedule Types

calendar Oct 23, 2025 · attack.privilege-escalation attack.persistence attack.execution attack.t1053.005  ·
Share on: linkedin copy

Detects scheduled task creations or modification on a suspicious schedule type

Sigma rule (View on GitHub)

 1title: Suspicious Schtasks Schedule Types
 2id: 24c8392b-aa3c-46b7-a545-43f71657fe98
 3related:
 4    - id: 7a02e22e-b885-4404-b38b-1ddc7e65258a
 5      type: similar
 6status: test
 7description: Detects scheduled task creations or modification on a suspicious schedule type
 8references:
 9    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change
10    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create
11    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
12author: Nasreddine Bencherchali (Nextron Systems)
13date: 2022-09-09
14tags:
15    - attack.privilege-escalation
16    - attack.persistence
17    - attack.execution
18    - attack.t1053.005
19logsource:
20    product: windows
21    category: process_creation
22detection:
23    selection_img:
24        - Image|endswith: '\schtasks.exe'
25        - OriginalFileName: 'schtasks.exe'
26    selection_time:
27        CommandLine|contains:
28            - ' ONLOGON '
29            - ' ONSTART '
30            - ' ONCE '
31            - ' ONIDLE '
32    filter_privs:
33        CommandLine|contains:
34            - 'NT AUT' # This covers the usual NT AUTHORITY\SYSTEM
35            - ' SYSTEM' # SYSTEM is a valid value for schtasks hence it gets it's own value with space
36            - 'HIGHEST'
37    condition: all of selection_* and not 1 of filter_*
38falsepositives:
39    - Legitimate processes that run at logon. Filter according to your environment
40level: high

References

  • schtasks change

    Reference article for the schtasks change command, which schedules commands and programs to run periodically or at a specific time, adds and removes tasks from the schedule, starts and stops tasks on demand, and displays and changes scheduled tasks.


    Read More

  • schtasks create

    Reference article for the schtasks create command to automate tasks.


    Read More

  • Lazarus and the tale of three RATs

    Cisco Talos assesses with high confidence these attacks have been conducted by the North Korean state-sponsored threat actor Lazarus Group.


    Read More

Related rules

to-top