Suspicious Schtasks Schedule Type With High Privileges

Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type

Sigma rule (View on GitHub)

 1title: Suspicious Schtasks Schedule Type With High Privileges
 2id: 7a02e22e-b885-4404-b38b-1ddc7e65258a
 3related:
 4    - id: 24c8392b-aa3c-46b7-a545-43f71657fe98
 5      type: similar
 6status: test
 7description: Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type
 8references:
 9    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change
10    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2022/08/31
13tags:
14    - attack.execution
15    - attack.t1053.005
16logsource:
17    product: windows
18    category: process_creation
19detection:
20    selection_img:
21        - Image|endswith: '\schtasks.exe'
22        - OriginalFileName: 'schtasks.exe'
23    selection_time:
24        CommandLine|contains:
25            - ' ONLOGON '
26            - ' ONSTART '
27            - ' ONCE '
28            - ' ONIDLE '
29    selection_privs:
30        CommandLine|contains:
31            - 'NT AUT' # This covers the usual NT AUTHORITY\SYSTEM
32            - ' SYSTEM' # SYSTEM is a valid value for schtasks hence it gets it's own value with space
33            - 'HIGHEST'
34    condition: all of selection_*
35falsepositives:
36    - Some installers were seen using this method of creation unfortunately. Filter them in your environment
37level: medium

References

Related rules

to-top