Schtasks Creation Or Modification With SYSTEM Privileges

 1title: Schtasks Creation Or Modification With SYSTEM Privileges
 2id: 89ca78fd-b37c-4310-b3d3-81a023f83936
 3status: test
 4description: Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges
 5references:
 6    - https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern
 7    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2022-07-28
10modified: 2023-10-11
11tags:
12    - attack.execution
13    - attack.persistence
14    - attack.t1053.005
15logsource:
16    product: windows
17    category: process_creation
18detection:
19    selection_root:
20        Image|endswith: '\schtasks.exe'
21        CommandLine|contains:
22            - ' /change '
23            - ' /create '
24    selection_run:
25        CommandLine|contains: '/ru '
26    selection_user:
27        CommandLine|contains:
28            - 'NT AUT' # This covers the usual NT AUTHORITY\SYSTEM
29            - ' SYSTEM ' # SYSTEM is a valid value for schtasks hence it gets it's own value with space
30    filter_optional_teamviewer:
31        # FP from test set in SIGMA
32        # Cannot use ParentImage on all OSes for 4688 events
33        # ParentImage|contains|all:
34        #     - '\AppData\Local\Temp\'
35        #     - 'TeamViewer_.exe'
36        Image|endswith: '\schtasks.exe'
37        CommandLine|contains|all:
38            - '/TN TVInstallRestore'
39            - '\TeamViewer_.exe'
40    filter_optional_avira:
41        CommandLine|contains:
42            - '/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR '
43            - ':\Program Files (x86)\Avira\System Speedup\setup\avira_speedup_setup.exe'
44            - '/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART" /RL HIGHEST'
45    condition: all of selection_* and not 1 of filter_optional_*
46falsepositives:
47    - Unknown
48level: high