Suspicious Schtasks Schedule Type With High Privileges
Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type
Sigma rule (View on GitHub)
1title: Suspicious Schtasks Schedule Type With High Privileges
2id: 7a02e22e-b885-4404-b38b-1ddc7e65258a
3related:
4 - id: 24c8392b-aa3c-46b7-a545-43f71657fe98
5 type: similar
6status: test
7description: Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type
8references:
9 - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change
10 - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2022/08/31
13tags:
14 - attack.execution
15 - attack.t1053.005
16logsource:
17 product: windows
18 category: process_creation
19detection:
20 selection_img:
21 - Image|endswith: '\schtasks.exe'
22 - OriginalFileName: 'schtasks.exe'
23 selection_time:
24 CommandLine|contains:
25 - ' ONLOGON '
26 - ' ONSTART '
27 - ' ONCE '
28 - ' ONIDLE '
29 selection_privs:
30 CommandLine|contains:
31 - 'NT AUT' # This covers the usual NT AUTHORITY\SYSTEM
32 - ' SYSTEM' # SYSTEM is a valid value for schtasks hence it gets it's own value with space
33 - 'HIGHEST'
34 condition: all of selection_*
35falsepositives:
36 - Some installers were seen using this method of creation unfortunately. Filter them in your environment
37level: medium
References
Related rules
- Schtasks From Suspicious Folders
- Suspicious Add Scheduled Task Parent
- Suspicious Modification Of Scheduled Tasks
- Suspicious Scheduled Task Creation
- Suspicious Scheduled Task Name As GUID