Techniques
Sample rules
Suspicious Schtasks Schedule Type With High Privileges
- source: sigma
- technicques:
- t1053
- t1053.005
Description
Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type
Detection logic
condition: all of selection_*
selection_img:
- Image|endswith: \schtasks.exe
- OriginalFileName: schtasks.exe
selection_privs:
CommandLine|contains:
- NT AUT
- ' SYSTEM'
- HIGHEST
selection_time:
CommandLine|contains:
- ' ONLOGON '
- ' ONSTART '
- ' ONCE '
- ' ONIDLE '