Scheduled Task Creation Masquerading as System Processes
Detects the creation of scheduled tasks that involve system processes, which may indicate malicious actors masquerading as or abusing these processes to execute payloads or maintain persistence.
Sigma rule (View on GitHub)
1title: Scheduled Task Creation Masquerading as System Processes
2id: 9f8573c9-22b4-40e3-89c1-72bc2b8d49ab
3status: experimental
4description: Detects the creation of scheduled tasks that involve system processes, which may indicate malicious actors masquerading as or abusing these processes to execute payloads or maintain persistence.
5references:
6 - https://tria.ge/241015-l98snsyeje/behavioral2
7author: Swachchhanda Shrawan Poudel (Nextron Systems)
8date: 2025-02-05
9tags:
10 - attack.persistence
11 - attack.t1053.005
12 - attack.defense-evasion
13 - attack.t1036.004
14 - attack.t1036.005
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_img:
20 - Image|endswith: '\schtasks.exe'
21 - OriginalFileName: 'schtasks.exe'
22 selection_cli:
23 CommandLine|contains|windash: ' /create '
24 CommandLine|contains:
25 - ' audiodg'
26 - ' conhost'
27 - ' dwm.exe'
28 - ' explorer'
29 - ' lsass'
30 - ' lsm'
31 - ' mmc'
32 - ' msiexec'
33 - ' regsvr32'
34 - ' rundll32'
35 - ' services'
36 - ' spoolsv'
37 - ' svchost'
38 - ' taskeng'
39 - ' taskhost'
40 - ' wininit'
41 - ' winlogon'
42 condition: all of selection_*
43falsepositives:
44 - Legitimate system administration tasks scheduling trusted system processes.
45level: high
References
Related rules
- Suspicious Scheduled Task Creation via Masqueraded XML File
- Scheduled Task Creation with Curl and PowerShell Execution Combo
- OilRig APT Activity
- OilRig APT Registry Persistence
- OilRig APT Schedule Task Persistence - Security