legitimate use of schtasks for administrative purposes.

t1053
t1053.005
t1105
t1218
windows
sigma

Techniques

t1053
t1053.005
t1105
t1218

Sample rules

Scheduled Task Creation with Curl and PowerShell Execution Combo

source: sigma
technicques:
- t1053
- t1053.005
- t1105
- t1218

Description

Detects the creation of a scheduled task using schtasks.exe, potentially in combination with curl for downloading payloads and PowerShell for executing them. This facilitates executing malicious payloads or connecting with C&C server persistently without dropping the malware sample on the host.

Detection logic

condition: all of selection_*
selection_curl:
  CommandLine|contains|all:
  - 'curl '
  - http
  - -o
selection_img:
  CommandLine|contains|windash: ' /create '
  Image|endswith: \schtasks.exe
selection_powershell:
  CommandLine|contains: powershell