Suspicious Command Patterns In Scheduled Task Creation

Aug 12, 2024 · attack.execution attack.t1053.005 ·

Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands

Sigma rule (View on GitHub)

 1title: Suspicious Command Patterns In Scheduled Task Creation
 2id: f2c64357-b1d2-41b7-849f-34d2682c0fad
 3status: experimental
 4description: Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands
 5references:
 6    - https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/
 7    - https://twitter.com/RedDrip7/status/1506480588827467785
 8    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf
 9author: Florian Roth (Nextron Systems)
10date: 2022-02-23
11modified: 2024-03-19
12tags:
13    - attack.execution
14    - attack.t1053.005
15logsource:
16    product: windows
17    category: process_creation
18detection:
19    selection_schtasks:
20        Image|endswith: '\schtasks.exe'
21        CommandLine|contains: '/Create '
22    selection_pattern_1:
23        CommandLine|contains:
24            - '/sc minute '
25            - '/ru system '
26    selection_pattern_2:
27        CommandLine|contains:
28            - 'cmd /c'
29            - 'cmd /k'
30            - 'cmd /r'
31            - 'cmd.exe /c '
32            - 'cmd.exe /k '
33            - 'cmd.exe /r '
34    selection_uncommon:
35        CommandLine|contains:
36            - ' -decode '
37            - ' -enc '
38            - ' -w hidden '
39            - ' bypass '
40            - ' IEX'
41            - '.DownloadData'
42            - '.DownloadFile'
43            - '.DownloadString'
44            - '/c start /min ' # https://twitter.com/RedDrip7/status/1506480588827467785
45            - 'FromBase64String'
46            - 'mshta http'
47            - 'mshta.exe http'
48    selection_anomaly_1:
49        CommandLine|contains:
50            - ':\ProgramData\'
51            - ':\Temp\'
52            - ':\Tmp\'
53            - ':\Users\Public\'
54            - ':\Windows\Temp\'
55            - '\AppData\'
56            - '%AppData%'
57            - '%Temp%'
58            - '%tmp%'
59    selection_anomaly_2:
60        CommandLine|contains:
61            - 'cscript'
62            - 'curl'
63            - 'wscript'
64    condition: selection_schtasks and ( all of selection_pattern_* or selection_uncommon or all of selection_anomaly_* )
65falsepositives:
66    - Software installers that run from temporary folders and also install scheduled tasks are expected to generate some false positives
67level: high

References

Analysis appveif.exe (MD5: C6DE457D1B6481B0FF2B387E03E99E08) Malicious activity - Interactive analysis ANY.RUN

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

Read More
x.com

Read More
%PDF-1.7 %µµµµ 1 0 obj /Metadata 886 0 R/ViewerPreferences 887 0 R>> endobj 2 0 obj endobj 3 0 obj /ExtGState /XObject /ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 594.96 842.04] /Cont...

Read More

Suspicious Command Patterns In Scheduled Task Creation

Sigma rule (View on GitHub)

References

Analysis appveif.exe (MD5: C6DE457D1B6481B0FF2B387E03E99E08) Malicious activity - Interactive analysis ANY.RUN

x.com

Related rules