Techniques
Sample rules
Suspicious Schtasks From Env Var Folder
- source: sigma
- technicques:
- t1053
- t1053.005
Description
Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware
Detection logic
condition: ( all of selection1* or all of selection2* ) and not 1 of filter*
filter_avira_install:
CommandLine|contains|all:
- /Create /Xml "C:\Users\
- \AppData\Local\Temp\.CR.
- Avira_Security_Installation.xml
filter_avira_other:
CommandLine|contains:
- .tmp\UpdateFallbackTask.xml
- .tmp\WatchdogServiceControlManagerTimeout.xml
- .tmp\SystrayAutostart.xml
- .tmp\MaintenanceTask.xml
CommandLine|contains|all:
- /Create /F /TN
- '/Xml '
- \AppData\Local\Temp\is-
- Avira_
filter_klite_codec:
CommandLine|contains|all:
- \AppData\Local\Temp\
- '/Create /TN "klcp_update" /XML '
- \klcp_update_task.xml
filter_mixed:
- CommandLine|contains:
- update_task.xml
- /Create /TN TVInstallRestore /TR
- ParentCommandLine|contains: unattended.ini
selection1_all_folders:
CommandLine|contains:
- :\Perflogs
- :\Windows\Temp
- \AppData\Local\
- \AppData\Roaming\
- \Users\Public
- '%AppData%'
- '%Public%'
selection1_create:
CommandLine|contains: ' /create '
Image|endswith: \schtasks.exe
selection2_parent:
ParentCommandLine|endswith: \svchost.exe -k netsvcs -p -s Schedule
selection2_some_folders:
CommandLine|contains:
- :\Perflogs
- :\Windows\Temp
- \Users\Public
- '%Public%'