Sample rules
Suspicious Command Patterns In Scheduled Task Creation
- source: sigma
- technicques:
- t1053
- t1053.005
Description
Detects scheduled task creation using “schtasks” that contain potentially suspicious or uncommon commands
Detection logic
condition: selection_schtasks and ( all of selection_pattern_* or selection_uncommon
or all of selection_anomaly_* )
selection_anomaly_1:
CommandLine|contains:
- :\ProgramData\
- :\Temp\
- :\Tmp\
- :\Users\Public\
- :\Windows\Temp\
- \AppData\
- '%AppData%'
- '%Temp%'
- '%tmp%'
selection_anomaly_2:
CommandLine|contains:
- cscript
- curl
- wscript
selection_pattern_1:
CommandLine|contains:
- '/sc minute '
- '/ru system '
selection_pattern_2:
CommandLine|contains:
- cmd /c
- cmd /k
- cmd /r
- 'cmd.exe /c '
- 'cmd.exe /k '
- 'cmd.exe /r '
selection_schtasks:
CommandLine|contains: '/Create '
Image|endswith: \schtasks.exe
selection_uncommon:
CommandLine|contains:
- ' -decode '
- ' -enc '
- ' -w hidden '
- ' bypass '
- ' IEX'
- .DownloadData
- .DownloadFile
- .DownloadString
- '/c start /min '
- FromBase64String
- mshta http
- mshta.exe http
Suspicious Add Scheduled Task Parent
- source: sigma
- technicques:
- t1053
- t1053.005
Description
Detects suspicious scheduled task creations from a parent stored in a temporary folder
Detection logic
condition: selection and not 1 of filter*
filter:
CommandLine|contains:
- update_task.xml
- unattended.ini
selection:
CommandLine|contains: '/Create '
Image|endswith: \schtasks.exe
ParentImage|contains:
- \AppData\Local\
- \AppData\Roaming\
- \Temporary Internet
- \Users\Public\