Scheduled Task Creation Masquerading as System Processes

Detects the creation of scheduled tasks that involve system processes, which may indicate malicious actors masquerading as or abusing these processes to execute payloads or maintain persistence.

Sigma rule (View on GitHub)

 1title: Scheduled Task Creation Masquerading as System Processes
 2id: 9f8573c9-22b4-40e3-89c1-72bc2b8d49ab
 3status: experimental
 4description: Detects the creation of scheduled tasks that involve system processes, which may indicate malicious actors masquerading as or abusing these processes to execute payloads or maintain persistence.
 5references:
 6    - https://tria.ge/241015-l98snsyeje/behavioral2
 7author: Swachchhanda Shrawan Poudel (Nextron Systems)
 8date: 2025-02-05
 9tags:
10    - attack.persistence
11    - attack.t1053.005
12    - attack.defense-evasion
13    - attack.t1036.004
14    - attack.t1036.005
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_img:
20        - Image|endswith: '\schtasks.exe'
21        - OriginalFileName: 'schtasks.exe'
22    selection_cli:
23        CommandLine|contains|windash: ' /create '
24        CommandLine|contains:
25            - ' audiodg'
26            - ' conhost'
27            - ' dwm.exe'
28            - ' explorer'
29            - ' lsass'
30            - ' lsm'
31            - ' mmc'
32            - ' msiexec'
33            - ' regsvr32'
34            - ' rundll32'
35            - ' services'
36            - ' spoolsv'
37            - ' svchost'
38            - ' taskeng'
39            - ' taskhost'
40            - ' wininit'
41            - ' winlogon'
42    condition: all of selection_*
43falsepositives:
44    - Legitimate system administration tasks scheduling trusted system processes.
45level: high

References

Related rules

to-top