Suspicious Scheduled Task Creation to execute LOLbins
Detects command line creation of scheduled tasks using commomly abused LOLbins.
Sigma rule (View on GitHub)
1title: Suspicious Scheduled Task Creation to execute LOLbins
2id: e4cae9a5-49a8-46ab-b223-87565b849e64
3status: experimental
4description: Detects command line creation of scheduled tasks using commomly abused LOLbins.
5date: 2021-10-18
6modified: 2024-02-22
7author: yatinwad and TheDFIRReport
8tags:
9 - attack.persistence
10 - attack.t1053.005
11references:
12 - https://redcanary.com/threat-detection-report/techniques/scheduled-task/
13 - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
14logsource:
15 product: windows
16 category: process_creation
17detection:
18 selection:
19 Image|endswith:
20 - 'schtasks.exe'
21 CommandLine|contains:
22 - '/create '
23 filter:
24 CommandLine|contains:
25 - 'regsvr32.exe'
26 - 'rundll32.exe'
27 condition: selection and 1 of filter
28falsepositives:
29 - Administrative activity
30 - Software installation
31level: medium
References
Related rules
- Important Scheduled Task Deleted/Disabled
- OilRig APT Schedule Task Persistence - System
- Scheduled Task Creation Via Schtasks.EXE
- Potential Persistence Via Microsoft Compatibility Appraiser
- Scheduled Task Executed From A Suspicious Location