Suspicious Schtasks Schedule Type With High Privileges
Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type
Sigma rule (View on GitHub)
1title: Suspicious Schtasks Schedule Type With High Privileges
2id: 7a02e22e-b885-4404-b38b-1ddc7e65258a
3related:
4 - id: 24c8392b-aa3c-46b7-a545-43f71657fe98
5 type: similar
6status: test
7description: Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type
8references:
9 - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change
10 - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2022-08-31
13tags:
14 - attack.privilege-escalation
15 - attack.persistence
16 - attack.execution
17 - attack.t1053.005
18logsource:
19 product: windows
20 category: process_creation
21detection:
22 selection_img:
23 - Image|endswith: '\schtasks.exe'
24 - OriginalFileName: 'schtasks.exe'
25 selection_time:
26 CommandLine|contains:
27 - ' ONLOGON '
28 - ' ONSTART '
29 - ' ONCE '
30 - ' ONIDLE '
31 selection_privs:
32 CommandLine|contains:
33 - 'NT AUT' # This covers the usual NT AUTHORITY\SYSTEM
34 - ' SYSTEM' # SYSTEM is a valid value for schtasks hence it gets it's own value with space
35 - 'HIGHEST'
36 condition: all of selection_*
37falsepositives:
38 - Some installers were seen using this method of creation unfortunately. Filter them in your environment
39level: medium
References
-
Reference article for the schtasks change command, which schedules commands and programs to run periodically or at a specific time, adds and removes tasks from the schedule, starts and stops tasks on demand, and displays and changes scheduled tasks.
Read More -
Related rules
- ChromeLoader Malware Execution
- Defrag Deactivation
- Kapeka Backdoor Persistence Activity
- OilRig APT Activity
- OilRig APT Registry Persistence