Suspicious Scheduled Task Creation via Masqueraded XML File

calendar Aug 12, 2024 · attack.defense-evasion attack.persistence attack.t1036.005 attack.t1053.005  ·
Share on: linkedin copy

Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence

Sigma rule (View on GitHub)

 1title: Suspicious Scheduled Task Creation via Masqueraded XML File
 2id: dd2a821e-3b07-4d3b-a9ac-929fe4c6ca0c
 3status: test
 4description: Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence
 5references:
 6    - https://learn.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml-
 7    - https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml
 8author: Swachchhanda Shrawan Poudel, Elastic (idea)
 9date: 2023-04-20
10tags:
11    - attack.defense-evasion
12    - attack.persistence
13    - attack.t1036.005
14    - attack.t1053.005
15logsource:
16    product: windows
17    category: process_creation
18detection:
19    selection_img:
20        - Image|endswith: '\schtasks.exe'
21        - OriginalFileName: 'schtasks.exe'
22    selection_cli_create:
23        CommandLine|contains:
24            - '/create'
25            - '-create'
26    selection_cli_xml:
27        CommandLine|contains:
28            - '/xml'
29            - '-xml'
30    filter_main_extension_xml:
31        CommandLine|contains: '.xml'
32    filter_main_system_process:
33        IntegrityLevel: 'System'
34    filter_main_rundll32:
35        ParentImage|endswith: '\rundll32.exe'
36        ParentCommandLine|contains|all:
37            - ':\WINDOWS\Installer\MSI'
38            - '.tmp,zzzzInvokeManagedCustomActionOutOfProc'
39    filter_optional_third_party:
40        ParentImage|endswith:
41            # Consider removing any tools that you don't use to avoid blind spots
42            - ':\ProgramData\OEM\UpgradeTool\CareCenter_*\BUnzip\Setup_msi.exe'
43            - ':\Program Files\Axis Communications\AXIS Camera Station\SetupActions.exe'
44            - ':\Program Files\Axis Communications\AXIS Device Manager\AdmSetupActions.exe'
45            - ':\Program Files (x86)\Zemana\AntiMalware\AntiMalware.exe'
46            - ':\Program Files\Dell\SupportAssist\pcdrcui.exe'
47    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
48falsepositives:
49    - Unknown
50level: medium

References

Related rules

to-top