Suspicious Scheduled Task Creation to execute LOLbins

 1title: Suspicious Scheduled Task Creation to execute LOLbins
 2id: e4cae9a5-49a8-46ab-b223-87565b849e64
 3status: experimental
 4description: Detects command line creation of scheduled tasks using commomly abused LOLbins.
 5date: 2021-10-18
 6modified: 2024-02-22
 7author: yatinwad and TheDFIRReport
 8tags:
 9    - attack.persistence
10    - attack.t1053.005
11references:
12    - https://redcanary.com/threat-detection-report/techniques/scheduled-task/
13    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
14logsource:
15    product: windows
16    category: process_creation
17detection:
18    selection:
19      Image|endswith: 'schtasks.exe'
20      CommandLine|contains: '/create '
21    filter_1:
22        CommandLine|contains:
23            - 'regsvr32.exe'
24            - 'rundll32.exe'
25    condition: selection and 1 of filter_*
26falsepositives:
27    - Administrative activity
28    - Software installation
29level: medium

References

• Scheduled Task - Red Canary Threat Detection Report

  

  Scheduled tasks allow adversarial persistence and execution behaviors to blend in with activity from native tools and third-party software.

  
  Read More

• IcedID to XingLocker Ransomware in 24 hours

  

  Intro Towards the end of July, we observed an intrusion that began with IcedID malware and ended in XingLocker ransomware, a Mountlocker variant. XingLocker made its first appearance in early May o…

  
  Read More

Related rules

• Scheduled task executing powershell encoded payload from registry
• Suspicious Schtasks Child Process
• Windows Scheduled Task Behaving Improperly or Suspiciously
• Windows Scheduled Task Create Shell
• Windows Scheduled Task Making Suspicious Network Connection