Techniques
Sample rules
Uncommon One Time Only Scheduled Task At 00:00
- source: sigma
- technicques:
- t1053
- t1053.005
Description
Detects scheduled task creation events that include suspicious actions, and is run once at 00:00
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- wscript
- vbscript
- cscript
- 'wmic '
- wmic.exe
- regsvr32.exe
- powershell
- \AppData\
selection_img:
- Image|contains: \schtasks.exe
- OriginalFileName: schtasks.exe
selection_time:
CommandLine|contains|all:
- once
- 00:00
New Service Creation Using PowerShell
- source: sigma
- technicques:
- t1543
- t1543.003
Description
Detects the creation of a new service using powershell.
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- New-Service
- -BinaryPathName
Scheduled Task Creation Via Schtasks.EXE
- source: sigma
- technicques:
- t1053
- t1053.005
Description
Detects the creation of scheduled tasks by user accounts via the “schtasks” utility.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_system_user:
User|contains:
- AUTHORI
- AUTORI
selection:
CommandLine|contains: ' /create '
Image|endswith: \schtasks.exe
Suspicious Scheduled Task Creation Involving Temp Folder
- source: sigma
- technicques:
- t1053
- t1053.005
Description
Detects the creation of scheduled tasks that involves a temporary folder and runs only once
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- ' /create '
- ' /sc once '
- \Temp\
Image|endswith: \schtasks.exe
New Service Creation Using Sc.EXE
- source: sigma
- technicques:
- t1543
- t1543.003
Description
Detects the creation of a new service using the “sc.exe” utility.
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- create
- binPath
Image|endswith: \sc.exe