Suspicious Scheduled Task Creation via Masqueraded XML File

calendar Dec 1, 2024 · attack.defense-evasion attack.persistence attack.t1036.005 attack.t1053.005  ·
Share on: linkedin copy

Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence

Sigma rule (View on GitHub)

 1title: Suspicious Scheduled Task Creation via Masqueraded XML File
 2id: dd2a821e-3b07-4d3b-a9ac-929fe4c6ca0c
 3status: test
 4description: Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence
 5references:
 6    - https://learn.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml-
 7    - https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml
 8author: Swachchhanda Shrawan Poudel, Elastic (idea)
 9date: 2023-04-20
10modified: 2024-12-01
11tags:
12    - attack.defense-evasion
13    - attack.persistence
14    - attack.t1036.005
15    - attack.t1053.005
16logsource:
17    product: windows
18    category: process_creation
19detection:
20    selection_img:
21        - Image|endswith: '\schtasks.exe'
22        - OriginalFileName: 'schtasks.exe'
23    selection_cli_create:
24        CommandLine|contains:
25            - '/create'
26            - '-create'
27    selection_cli_xml:
28        CommandLine|contains:
29            - '/xml'
30            - '-xml'
31    filter_main_extension_xml:
32        CommandLine|contains: '.xml'
33    filter_main_system_process:
34        IntegrityLevel:
35            - 'System'
36            - 'S-1-16-16384'
37    filter_main_rundll32:
38        ParentImage|endswith: '\rundll32.exe'
39        ParentCommandLine|contains|all:
40            - ':\WINDOWS\Installer\MSI'
41            - '.tmp,zzzzInvokeManagedCustomActionOutOfProc'
42    filter_optional_third_party:
43        ParentImage|endswith:
44            # Consider removing any tools that you don't use to avoid blind spots
45            - ':\ProgramData\OEM\UpgradeTool\CareCenter_*\BUnzip\Setup_msi.exe'
46            - ':\Program Files\Axis Communications\AXIS Camera Station\SetupActions.exe'
47            - ':\Program Files\Axis Communications\AXIS Device Manager\AdmSetupActions.exe'
48            - ':\Program Files (x86)\Zemana\AntiMalware\AntiMalware.exe'
49            - ':\Program Files\Dell\SupportAssist\pcdrcui.exe'
50    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
51falsepositives:
52    - Unknown
53level: medium

References

Related rules

to-top