Scheduled Task Creation Masquerading as System Processes
Detects the creation of scheduled tasks that involve system processes, which may indicate malicious actors masquerading as or abusing these processes to execute payloads or maintain persistence.
Sigma rule (View on GitHub)
1title: Scheduled Task Creation Masquerading as System Processes
2id: 9f8573c9-22b4-40e3-89c1-72bc2b8d49ab
3status: experimental
4description: Detects the creation of scheduled tasks that involve system processes, which may indicate malicious actors masquerading as or abusing these processes to execute payloads or maintain persistence.
5references:
6 - https://tria.ge/241015-l98snsyeje/behavioral2
7author: Swachchhanda Shrawan Poudel (Nextron Systems)
8date: 2025-02-05
9tags:
10 - attack.privilege-escalation
11 - attack.execution
12 - attack.persistence
13 - attack.t1053.005
14 - attack.defense-evasion
15 - attack.t1036.004
16 - attack.t1036.005
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection_img:
22 - Image|endswith: '\schtasks.exe'
23 - OriginalFileName: 'schtasks.exe'
24 selection_cli:
25 CommandLine|contains|windash: ' /create '
26 CommandLine|contains:
27 - ' audiodg'
28 - ' conhost'
29 - ' dwm.exe'
30 - ' explorer'
31 - ' lsass'
32 - ' lsm'
33 - ' mmc'
34 - ' msiexec'
35 - ' regsvr32'
36 - ' rundll32'
37 - ' services'
38 - ' spoolsv'
39 - ' svchost'
40 - ' taskeng'
41 - ' taskhost'
42 - ' wininit'
43 - ' winlogon'
44 condition: all of selection_*
45falsepositives:
46 - Legitimate system administration tasks scheduling trusted system processes.
47level: high
References
-
Check this report malware sample ae8d252986c616884c10ab5082088cc9e413ddf5f9a0e292a1f2c5c0764c74e7, with a score of 1 out of 10.
Read More
Related rules
- Operation Wocao Activity
- Operation Wocao Activity - Security
- Suspicious Scheduled Task Creation via Masqueraded XML File
- OilRig APT Activity
- OilRig APT Registry Persistence