Suspicious Scheduled Task Creation to execute LOLbins
Detects command line creation of scheduled tasks using commomly abused LOLbins.
Sigma rule (View on GitHub)
1title: Suspicious Scheduled Task Creation to execute LOLbins
2id: e4cae9a5-49a8-46ab-b223-87565b849e64
3status: experimental
4description: Detects command line creation of scheduled tasks using commomly abused LOLbins.
5date: 2021-10-18
6modified: 2024-02-22
7author: yatinwad and TheDFIRReport
8tags:
9 - attack.persistence
10 - attack.t1053.005
11references:
12 - https://redcanary.com/threat-detection-report/techniques/scheduled-task/
13 - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
14logsource:
15 product: windows
16 category: process_creation
17detection:
18 selection:
19 Image|endswith:
20 - 'schtasks.exe'
21 CommandLine|contains:
22 - '/create '
23 filter:
24 CommandLine|contains:
25 - 'regsvr32.exe'
26 - 'rundll32.exe'
27 condition: selection and 1 of filter
28falsepositives:
29 - Administrative activity
30 - Software installation
31level: medium
References
-
Scheduled tasks allow adversarial persistence and execution behaviors to blend in with activity from native tools and third-party software.
Read More -
In this intrusion, we observed the threat actors use multiple DLL Beacons that would call out to different Cobalt Strike C2 channels. The threat actors used batch scripts during the intrusion for a number of purposes, primarily to disable antivirus programs and execute payloads.
Read More
Related rules
- Important Scheduled Task Deleted/Disabled
- OilRig APT Schedule Task Persistence - System
- Scheduled Task Creation Via Schtasks.EXE
- Potential Persistence Via Microsoft Compatibility Appraiser
- Scheduled Task Executed From A Suspicious Location