Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE

Severity: medium
Author: Florian Roth (Nextron Systems)
Source: upstream

Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1053.005` Scheduled Task/Job: Scheduled Task
Persistence	`T1053.005` Scheduled Task/Job: Scheduled Task
Privilege Escalation	`T1053.005` Scheduled Task/Job: Scheduled Task

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `all of selection_1_create`

CommandLine|contains: ' /create '
Image|endswith: '\schtasks.exe'

Stage 2: `all of selection_1_all_folders`

or:
CommandLine|contains: '%AppData%'
CommandLine|contains: '%Public%'
CommandLine|contains: ':\Perflogs'
CommandLine|contains: ':\Users\All Users\'
CommandLine|contains: ':\Users\Default\'
CommandLine|contains: ':\Users\Public'
CommandLine|contains: ':\Windows\Temp'
CommandLine|contains: '\AppData\Local\'
CommandLine|contains: '\AppData\Roaming\'

Stage 3: `all of selection_2_parent`

ParentCommandLine|endswith: '\svchost.exe -k netsvcs -p -s Schedule'

Stage 4: `all of selection_2_some_folders`

or:
CommandLine|contains: '%Public%'
CommandLine|contains: ':\Perflogs'
CommandLine|contains: ':\Windows\Temp'
CommandLine|contains: '\Users\Public'

Stage 5: `not 1 of filter_optional_*`

or:
or:
CommandLine|contains: '.tmp\MaintenanceTask.xml'
CommandLine|contains: '.tmp\SystrayAutostart.xml'
CommandLine|contains: '.tmp\UpdateFallbackTask.xml'
CommandLine|contains: '.tmp\WatchdogServiceControlManagerTimeout.xml'
CommandLine|contains: '/Create /F /TN'
CommandLine|contains: '/Xml '
CommandLine|contains: Avira_
CommandLine|contains: '\Temp\'
CommandLine|contains: '/Create /TN "klcp_update" /XML '
CommandLine|contains: '\Temp\'
CommandLine|contains: '\klcp_update_task.xml'
CommandLine|contains: '/Create /Xml '
CommandLine|contains: '\Avira_Security_Installation.xml'
CommandLine|contains: '\Temp\.CR.'
CommandLine|contains: '/Create /TN TVInstallRestore /TR'
CommandLine|contains: update_task.xml
ParentCommandLine|contains: unattended.ini

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`/create` corpus 14 (sigma 14) `%AppData%` corpus 7 (sigma 7) `%Public%` corpus 4 (sigma 4) `.tmp\MaintenanceTask.xml` `.tmp\SystrayAutostart.xml` `.tmp\UpdateFallbackTask.xml` `.tmp\WatchdogServiceControlManagerTimeout.xml` `/Create /F /TN` `/Create /TN "klcp_update" /XML` `/Create /TN TVInstallRestore /TR` `/Create /Xml` `/Xml` `:\Perflogs` corpus 3 (sigma 3) `:\Users\All Users\` `:\Users\Default\` corpus 3 (sigma 3) `:\Users\Public` `:\Windows\Temp` corpus 2 (sigma 2) `Avira_` `\AppData\Local\` corpus 8 (sigma 8) `\AppData\Roaming\` corpus 10 (sigma 10) `\Avira_Security_Installation.xml` `\Temp\` corpus 7 (sigma 7) `\Temp\.CR.` `\Users\Public` `\klcp_update_task.xml` `update_task.xml`
`Image`	ends_with	`\schtasks.exe` corpus 45 (sigma 45)
`ParentCommandLine`	ends_with	`\svchost.exe -k netsvcs -p -s Schedule`
`ParentCommandLine`	match	`unattended.ini`

Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: all of selection_1_create

Stage 2: all of selection_1_all_folders

Stage 3: all of selection_2_parent