Techniques
Sample rules
Suspicious Command Patterns In Scheduled Task Creation
- source: sigma
- technicques:
- t1053
- t1053.005
Description
Detects scheduled task creation using “schtasks” that contain potentially suspicious or uncommon commands
Detection logic
condition: selection_schtasks and ( all of selection_pattern_* or selection_uncommon
or all of selection_anomaly_* )
selection_anomaly_1:
CommandLine|contains:
- :\ProgramData\
- :\Temp\
- :\Tmp\
- :\Users\Public\
- :\Windows\Temp\
- \AppData\
- '%AppData%'
- '%Temp%'
- '%tmp%'
selection_anomaly_2:
CommandLine|contains:
- cscript
- curl
- wscript
selection_pattern_1:
CommandLine|contains:
- '/sc minute '
- '/ru system '
selection_pattern_2:
CommandLine|contains:
- cmd /c
- cmd /k
- cmd /r
- 'cmd.exe /c '
- 'cmd.exe /k '
- 'cmd.exe /r '
selection_schtasks:
CommandLine|contains: '/Create '
Image|endswith: \schtasks.exe
selection_uncommon:
CommandLine|contains:
- ' -decode '
- ' -enc '
- ' -w hidden '
- ' bypass '
- ' IEX'
- .DownloadData
- .DownloadFile
- .DownloadString
- '/c start /min '
- FromBase64String
- mshta http
- mshta.exe http