Techniques
Sample rules
Suspicious Scheduled Task Name As GUID
- source: sigma
- technicques:
- t1053
- t1053.005
Description
Detects creation of a scheduled task with a GUID like name
Detection logic
condition: all of selection_*
selection_end:
CommandLine|contains:
- '}"'
- '}'''
- '} '
selection_img:
CommandLine|contains: '/Create '
Image|endswith: \schtasks.exe
selection_tn:
CommandLine|contains:
- /TN "{
- /TN '{
- /TN {