Schtasks Creation Or Modification With SYSTEM Privileges

calendar Oct 23, 2025 · attack.privilege-escalation attack.execution attack.persistence attack.t1053.005  ·
Share on: linkedin copy

Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges

Sigma rule (View on GitHub)

 1title: Schtasks Creation Or Modification With SYSTEM Privileges
 2id: 89ca78fd-b37c-4310-b3d3-81a023f83936
 3status: test
 4description: Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges
 5references:
 6    - https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern
 7    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2022-07-28
10modified: 2025-02-15
11tags:
12    - attack.privilege-escalation
13    - attack.execution
14    - attack.persistence
15    - attack.t1053.005
16logsource:
17    product: windows
18    category: process_creation
19detection:
20    selection_root:
21        Image|endswith: '\schtasks.exe'
22        CommandLine|contains:
23            - ' /change '
24            - ' /create '
25    selection_run:
26        CommandLine|contains: '/ru '
27    selection_user:
28        CommandLine|contains:
29            - 'NT AUT' # This covers the usual NT AUTHORITY\SYSTEM
30            - ' SYSTEM ' # SYSTEM is a valid value for schtasks hence it gets it's own value with space
31    filter_optional_teamviewer:
32        # FP from test set in SIGMA
33        # Cannot use ParentImage on all OSes for 4688 events
34        # ParentImage|contains|all:
35        #     - '\AppData\Local\Temp\'
36        #     - 'TeamViewer_.exe'
37        Image|endswith: '\schtasks.exe'
38        CommandLine|contains|all:
39            - '/TN TVInstallRestore'
40            - '\TeamViewer_.exe'
41    filter_optional_office:
42        CommandLine|contains|all:
43            # https://answers.microsoft.com/en-us/msoffice/forum/all/office-15-subscription-heartbeat-task-created-on/43ab5e53-a9fb-47c6-8c14-44889974b9ff
44            - 'Subscription Heartbeat'
45            - '\HeartbeatConfig.xml'
46            - '\Microsoft Shared\OFFICE'
47    filter_optional_avira:
48        CommandLine|contains:
49            - '/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR '
50            - ':\Program Files (x86)\Avira\System Speedup\setup\avira_speedup_setup.exe'
51            - '/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART" /RL HIGHEST'
52    condition: all of selection_* and not 1 of filter_optional_*
53falsepositives:
54    - Unknown
55level: high

References

  • Exploring the QBOT Attack Pattern — Elastic Security Labs

    In this research publication, we'll explore our analysis of the QBOT attack pattern — a full-featured and prolific malware family.


    Read More

  • schtasks commands

    Reference article for the schtasks commands, which schedules commands and programs to run periodically or at a specific time, adds and removes tasks from the schedule, starts and stops tasks on demand, and displays and changes scheduled tasks.


    Read More

Related rules

to-top