Detection rules › Sigma
Scheduled TaskCache Change by Uncommon Program
Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1053 Scheduled Task/Job, T1053.005 Scheduled Task/Job: Scheduled Task |
| Persistence | T1053 Scheduled Task/Job, T1053.005 Scheduled Task/Job: Scheduled Task |
| Privilege Escalation | T1053 Scheduled Task/Job, T1053.005 Scheduled Task/Job: Scheduled Task |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 13 | RegistryEvent (Value Set) |
Stages and Predicates
Stage 1: selection
TargetObject|contains: 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\'
Stage 2: not 1 of filter_main_*
or:
or:
TargetObject|contains: '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B66B135D-DA06-4FC4-95F8-7458E1D10129}'
TargetObject|contains: '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\.NET Framework\.NET Framework NGEN'
Image|endswith: '\ngen.exe'
Image|startswith: 'C:\Windows\Microsoft.NET\Framework'
Image|endswith: '\TiWorker.exe'
Image|startswith: 'C:\Windows\'
Image: 'C:\Windows\explorer.exe'
TargetObject|contains: '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\PLA\Server Manager Performance Monitor\'
Details: '(Empty)'
Details: null
Image|endswith: 'C:\Windows\System32\MoUsoCoreWorker.exe'
Image|endswith: 'C:\Windows\System32\services.exe'
Image: 'C:\Program Files (x86)\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe'
Image: 'C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe'
Image: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe'
Image: 'C:\Program Files\Microsoft Office\root\Integration\Integrator.exe'
Image: 'C:\WINDOWS\system32\svchost.exe'
Image: 'C:\Windows\System32\RuntimeBroker.exe'
Image: 'C:\Windows\System32\msiexec.exe'
Image: System
TargetObject|contains: 'Microsoft\Windows\Flighting\OneSettings\RefreshCache\Index'
TargetObject|contains: 'Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask\Index'
TargetObject|contains: 'Microsoft\Windows\UpdateOrchestrator'
Stage 3: not 1 of filter_optional_*
or:
Image|endswith: 'C:\Program Files (x86)\Microsoft OneDrive\OneDrive.exe'
Image|endswith: 'C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe'
Image|endswith: 'C:\Program Files\Microsoft OneDrive\OneDrive.exe'
Image|endswith: 'C:\Program Files\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe'
Image: 'C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe'
Image: 'C:\Program Files\Dropbox\Update\DropboxUpdate.exe'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Details | eq |
|
Image | ends_with |
|
Image | eq |
|
Image | starts_with |
|
TargetObject | match |
|