Techniques
Sample rules
Suspicious Schtasks Schedule Types
- source: sigma
- technicques:
- t1053
- t1053.005
Description
Detects scheduled task creations or modification on a suspicious schedule type
Detection logic
condition: all of selection_* and not 1 of filter_*
filter_privs:
CommandLine|contains:
- NT AUT
- ' SYSTEM'
- HIGHEST
selection_img:
- Image|endswith: \schtasks.exe
- OriginalFileName: schtasks.exe
selection_time:
CommandLine|contains:
- ' ONLOGON '
- ' ONSTART '
- ' ONCE '
- ' ONIDLE '