Suspicious Schtasks Schedule Types

Detects scheduled task creations or modification on a suspicious schedule type

Sigma rule (View on GitHub)

 1title: Suspicious Schtasks Schedule Types
 2id: 24c8392b-aa3c-46b7-a545-43f71657fe98
 3related:
 4    - id: 7a02e22e-b885-4404-b38b-1ddc7e65258a
 5      type: similar
 6status: test
 7description: Detects scheduled task creations or modification on a suspicious schedule type
 8references:
 9    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change
10    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create
11    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
12author: Nasreddine Bencherchali (Nextron Systems)
13date: 2022/09/09
14tags:
15    - attack.execution
16    - attack.t1053.005
17logsource:
18    product: windows
19    category: process_creation
20detection:
21    selection_img:
22        - Image|endswith: '\schtasks.exe'
23        - OriginalFileName: 'schtasks.exe'
24    selection_time:
25        CommandLine|contains:
26            - ' ONLOGON '
27            - ' ONSTART '
28            - ' ONCE '
29            - ' ONIDLE '
30    filter_privs:
31        CommandLine|contains:
32            - 'NT AUT' # This covers the usual NT AUTHORITY\SYSTEM
33            - ' SYSTEM' # SYSTEM is a valid value for schtasks hence it gets it's own value with space
34            - 'HIGHEST'
35    condition: all of selection_* and not 1 of filter_*
36falsepositives:
37    - Legitimate processes that run at logon. Filter according to your environment
38level: high

References

Related rules

to-top