detection.wiki

Detection rules › Equivalence class

eq_0003 — 2 rules with the same canonical form

Vendors: sigma (2). Stage count: 3. Correlation shape: single_event.

Members

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1053.005 Scheduled Task/Job: Scheduled Task
PersistenceT1053.005 Scheduled Task/Job: Scheduled Task
Privilege EscalationT1053.005 Scheduled Task/Job: Scheduled Task

Stages and predicates (per member)

Each member's stage rendered in its own native syntax (verbatim source where the IR captures it; falls back to the synthesised native form for the few stage types whose source segments aren't recoverable).

Suspicious Schtasks Schedule Types — stage 1 all of selection_img

or:
Image|endswith: '\schtasks.exe'
OriginalFileName: schtasks.exe

Suspicious Schtasks Schedule Types — stage 2 all of selection_time

or:
CommandLine|contains: ' ONCE '
CommandLine|contains: ' ONIDLE '
CommandLine|contains: ' ONLOGON '
CommandLine|contains: ' ONSTART '

Suspicious Schtasks Schedule Types — stage 3 not 1 of filter_privs

or:
CommandLine|contains: ' SYSTEM'
CommandLine|contains: HIGHEST
CommandLine|contains: 'NT AUT'

Suspicious Schtasks Schedule Type With High Privileges — stage 4 all of selection_img

or:
Image|endswith: '\schtasks.exe'
OriginalFileName: schtasks.exe

Suspicious Schtasks Schedule Type With High Privileges — stage 5 all of selection_time

or:
CommandLine|contains: ' ONCE '
CommandLine|contains: ' ONIDLE '
CommandLine|contains: ' ONLOGON '
CommandLine|contains: ' ONSTART '

Suspicious Schtasks Schedule Type With High Privileges — stage 6 all of selection_privs

or:
CommandLine|contains: ' SYSTEM'
CommandLine|contains: HIGHEST
CommandLine|contains: 'NT AUT'

Indicators (across all members)

FieldKindValueMembersCorpus
CommandLinematch ONCE 22
CommandLinematch ONIDLE 22
CommandLinematch ONLOGON 22
CommandLinematch ONSTART 22
CommandLinematch SYSTEM22
CommandLinematchHIGHEST22
CommandLinematchNT AUT24
Imageends_with\schtasks.exe245
OriginalFileNameeqschtasks.exe214