Techniques
Sample rules
Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE
- source: sigma
- technicques:
- t1053
- t1053.005
Description
Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware
Detection logic
condition: ( all of selection_1_* or all of selection_2_* ) and not 1 of filter_optional_*
filter_optional_avira_install:
CommandLine|contains|all:
- /Create /Xml "C:\Users\
- \AppData\Local\Temp\.CR.
- Avira_Security_Installation.xml
filter_optional_avira_other:
CommandLine|contains:
- .tmp\UpdateFallbackTask.xml
- .tmp\WatchdogServiceControlManagerTimeout.xml
- .tmp\SystrayAutostart.xml
- .tmp\MaintenanceTask.xml
CommandLine|contains|all:
- /Create /F /TN
- '/Xml '
- \AppData\Local\Temp\is-
- Avira_
filter_optional_klite_codec:
CommandLine|contains|all:
- \AppData\Local\Temp\
- '/Create /TN "klcp_update" /XML '
- \klcp_update_task.xml
filter_optional_other:
- ParentCommandLine|contains: unattended.ini
- CommandLine|contains: update_task.xml
filter_optional_team_viewer:
CommandLine|contains: /Create /TN TVInstallRestore /TR
selection_1_all_folders:
CommandLine|contains:
- :\Perflogs
- :\Users\All Users\
- :\Users\Default\
- :\Users\Public
- :\Windows\Temp
- \AppData\Local\
- \AppData\Roaming\
- '%AppData%'
- '%Public%'
selection_1_create:
CommandLine|contains: ' /create '
Image|endswith: \schtasks.exe
selection_2_parent:
ParentCommandLine|endswith: \svchost.exe -k netsvcs -p -s Schedule
selection_2_some_folders:
CommandLine|contains:
- :\Perflogs
- :\Windows\Temp
- \Users\Public
- '%Public%'