Techniques
Sample rules
Scheduled Task Executed Uncommon LOLBIN
- source: sigma
- technicques:
- t1053
- t1053.005
Description
Detects the execution of Scheduled Tasks where the program being run is located in a suspicious location or where it is an unusual program to be run from a Scheduled Task
Detection logic
condition: selection
selection:
EventID: 129
Path|endswith:
- \calc.exe
- \cscript.exe
- \mshta.exe
- \mspaint.exe
- \notepad.exe
- \regsvr32.exe
- \wscript.exe