Suspicious Command Patterns In Scheduled Task Creation

 1title: Suspicious Command Patterns In Scheduled Task Creation
 2id: f2c64357-b1d2-41b7-849f-34d2682c0fad
 3status: test
 4description: Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands
 5references:
 6    - https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/
 7    - https://twitter.com/RedDrip7/status/1506480588827467785
 8    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf
 9author: Florian Roth (Nextron Systems)
10date: 2022-02-23
11modified: 2024-03-19
12tags:
13    - attack.privilege-escalation
14    - attack.persistence
15    - attack.execution
16    - attack.t1053.005
17logsource:
18    product: windows
19    category: process_creation
20detection:
21    selection_schtasks:
22        Image|endswith: '\schtasks.exe'
23        CommandLine|contains: '/Create '
24    selection_pattern_1:
25        CommandLine|contains:
26            - '/sc minute '
27            - '/ru system '
28    selection_pattern_2:
29        CommandLine|contains:
30            - 'cmd /c'
31            - 'cmd /k'
32            - 'cmd /r'
33            - 'cmd.exe /c '
34            - 'cmd.exe /k '
35            - 'cmd.exe /r '
36    selection_uncommon:
37        CommandLine|contains:
38            - ' -decode '
39            - ' -enc '
40            - ' -w hidden '
41            - ' bypass '
42            - ' IEX'
43            - '.DownloadData'
44            - '.DownloadFile'
45            - '.DownloadString'
46            - '/c start /min ' # https://twitter.com/RedDrip7/status/1506480588827467785
47            - 'FromBase64String'
48            - 'mshta http'
49            - 'mshta.exe http'
50    selection_anomaly_1:
51        CommandLine|contains:
52            - ':\ProgramData\'
53            - ':\Temp\'
54            - ':\Tmp\'
55            - ':\Users\Public\'
56            - ':\Windows\Temp\'
57            - '\AppData\'
58            - '%AppData%'
59            - '%Temp%'
60            - '%tmp%'
61    selection_anomaly_2:
62        CommandLine|contains:
63            - 'cscript'
64            - 'curl'
65            - 'wscript'
66    condition: selection_schtasks and ( all of selection_pattern_* or selection_uncommon or all of selection_anomaly_* )
67falsepositives:
68    - Software installers that run from temporary folders and also install scheduled tasks are expected to generate some false positives
69level: high

References

• Analysis appveif.exe (MD5: C6DE457D1B6481B0FF2B387E03E99E08) Malicious activity - Interactive analysis ANY.RUN

  

  Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

  
  Read More

• 

  Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.

  
  Read More

• %PDF-1.7 %µµµµ 1 0 obj /Metadata 886 0 R/ViewerPreferences 887 0 R>> endobj 2 0 obj endobj 3 0 obj /ExtGState /XObject /ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 594.96 842.04] /Cont...

  
  Read More

Related rules

• ChromeLoader Malware Execution
• Defrag Deactivation
• Kapeka Backdoor Persistence Activity
• OilRig APT Activity
• OilRig APT Registry Persistence