Suspicious Scheduled Task Creation via Masqueraded XML File

Severity: medium
Author: Swachchhanda Shrawan Poudel, Elastic (idea)
Source: upstream

Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1053.005` Scheduled Task/Job: Scheduled Task
Persistence	`T1053.005` Scheduled Task/Job: Scheduled Task
Privilege Escalation	`T1053.005` Scheduled Task/Job: Scheduled Task
Defense Evasion	`T1036.005` Masquerading: Match Legitimate Resource Name or Location

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `all of selection_img`

or:
Image|endswith: '\schtasks.exe'
OriginalFileName: schtasks.exe

Stage 2: `all of selection_cli_create`

or:
CommandLine|contains: -create
CommandLine|contains: '/create'

Stage 3: `all of selection_cli_xml`

or:
CommandLine|contains: -xml
CommandLine|contains: '/xml'

Stage 4: `not 1 of filter_main_*`

or:
ParentCommandLine|contains: '.tmp,zzzzInvokeManagedCustomActionOutOfProc'
ParentCommandLine|contains: ':\WINDOWS\Installer\MSI'
ParentImage|endswith: '\rundll32.exe'
CommandLine|contains: .xml
IntegrityLevel: S-1-16-16384
IntegrityLevel: System

Stage 5: `not 1 of filter_optional_third_party`

or:
ParentImage|endswith: ':\Program Files (x86)\Zemana\AntiMalware\AntiMalware.exe'
ParentImage|endswith: ':\Program Files\Axis Communications\AXIS Camera Station\SetupActions.exe'
ParentImage|endswith: ':\Program Files\Axis Communications\AXIS Device Manager\AdmSetupActions.exe'
ParentImage|endswith: ':\Program Files\Dell\SupportAssist\pcdrcui.exe'
ParentImage|endswith: ':\ProgramData\OEM\UpgradeTool\CareCenter_*\BUnzip\Setup_msi.exe'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`-create` `-xml` `.xml` corpus 5 (sigma 5) `/create` `/xml`
`Image`	ends_with	`\schtasks.exe` corpus 45 (sigma 45)
`IntegrityLevel`	eq	`S-1-16-16384` corpus 21 (sigma 21) `System` corpus 21 (sigma 21)
`OriginalFileName`	eq	`schtasks.exe` corpus 14 (sigma 14)
`ParentCommandLine`	match	`.tmp,zzzzInvokeManagedCustomActionOutOfProc` `:\WINDOWS\Installer\MSI`
`ParentImage`	ends_with	`:\Program Files (x86)\Zemana\AntiMalware\AntiMalware.exe` `:\Program Files\Axis Communications\AXIS Camera Station\SetupActions.exe` `:\Program Files\Axis Communications\AXIS Device Manager\AdmSetupActions.exe` `:\Program Files\Dell\SupportAssist\pcdrcui.exe` `:\ProgramData\OEM\UpgradeTool\CareCenter_*\BUnzip\Setup_msi.exe` `\rundll32.exe` corpus 12 (sigma 12)

Suspicious Scheduled Task Creation via Masqueraded XML File

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: all of selection_img

Stage 2: all of selection_cli_create

Stage 3: all of selection_cli_xml