Detection rules › Sigma
Renamed Schtasks Execution
Detects the execution of renamed schtasks.exe binary, which is a legitimate Windows utility used for scheduling tasks. One of the very common persistence techniques is schedule malicious tasks using schtasks.exe. Since, it is heavily abused, it is also heavily monitored by security products. To evade detection, threat actors may rename the schtasks.exe binary to schedule their malicious tasks.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1053.005 Scheduled Task/Job: Scheduled Task |
| Persistence | T1053.005 Scheduled Task/Job: Scheduled Task |
| Privilege Escalation | T1053.005 Scheduled Task/Job: Scheduled Task |
| Defense Evasion | T1036.003 Masquerading: Rename Legitimate Utilities |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
Stages and Predicates
Stage 1: all of selection_cmd_operation
or:
CommandLine|contains: ' /change '
CommandLine|contains: ' /create '
CommandLine|contains: ' /delete '
CommandLine|contains: ' /end '
CommandLine|contains: ' /query '
CommandLine|contains: ' /run '
Stage 2: all of selection_cmd_flags
or:
CommandLine|contains: ' /fo '
CommandLine|contains: ' /ru '
CommandLine|contains: ' /sc '
CommandLine|contains: ' /st '
CommandLine|contains: ' /tn '
CommandLine|contains: ' /tr '
Stage 3: not filter_main_cmd
CommandLine|contains: schtasks
Stage 4: selection_pe
OriginalFileName: schtasks.exe
Stage 5: not filter_main_img
Image|endswith: '\schtasks.exe'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|
Image | ends_with |
|
OriginalFileName | eq |
|