detection.wiki

Detection rules › Sigma

Schtasks From Suspicious Folders

Severity
high
Author
Florian Roth (Nextron Systems)
Source
upstream

Detects scheduled task creations that have suspicious action command and folder combinations

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1053.005 Scheduled Task/Job: Scheduled Task
PersistenceT1053.005 Scheduled Task/Job: Scheduled Task
Privilege EscalationT1053.005 Scheduled Task/Job: Scheduled Task

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation

Stages and Predicates

Stage 1: all of selection_img

or:
Image|endswith: '\schtasks.exe'
OriginalFileName: schtasks.exe

Stage 2: all of selection_create

CommandLine|contains: ' /create '

Stage 3: all of selection_command

or:
CommandLine|contains: 'cmd /c '
CommandLine|contains: 'cmd /k '
CommandLine|contains: 'cmd /r '
CommandLine|contains: 'cmd.exe /c '
CommandLine|contains: 'cmd.exe /k '
CommandLine|contains: 'cmd.exe /r '
CommandLine|contains: powershell
CommandLine|contains: pwsh

Stage 4: all of selection_all_folders

or:
CommandLine|contains: '%ProgramData%'
CommandLine|contains: 'C:\ProgramData\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • /create corpus 14 (sigma 14)
  • %ProgramData% corpus 4 (sigma 4)
  • C:\ProgramData\ corpus 6 (sigma 6)
  • cmd /c corpus 5 (sigma 5)
  • cmd /k corpus 5 (sigma 5)
  • cmd /r corpus 5 (sigma 5)
  • cmd.exe /c corpus 6 (sigma 6)
  • cmd.exe /k corpus 6 (sigma 6)
  • cmd.exe /r corpus 6 (sigma 6)
  • powershell corpus 16 (sigma 16)
  • pwsh corpus 5 (sigma 5)
Imageends_with
  • \schtasks.exe corpus 45 (sigma 45)
OriginalFileNameeq
  • schtasks.exe corpus 14 (sigma 14)