Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Suspicious Modification Of Scheduled Tasks

Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location Attackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on Instead they modify the task after creation to include their malicious payload

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Thu Jul 28Updated Fri Nov 181c0e41cd-21bb-4433-9acc-4a2cd6367b9bwindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic3 selectors
detection:
    selection_schtasks:
        Image|endswith: '\schtasks.exe'
        CommandLine|contains|all:
            - ' /Change '
            - ' /TN '
    selection_susp_locations:
        CommandLine|contains:
            - '\AppData\Local\Temp'
            - '\AppData\Roaming\'
            - '\Users\Public\'
            - '\WINDOWS\Temp\'
            - '\Desktop\'
            - '\Downloads\'
            - '\Temporary Internet'
            - 'C:\ProgramData\'
            - 'C:\Perflogs\'
            - '%ProgramData%'
            - '%appdata%'
            - '%comspec%'
            - '%localappdata%'
    selection_susp_images:
        CommandLine|contains:
            - 'regsvr32'
            - 'rundll32'
            - 'cmd /c '
            - 'cmd /k '
            - 'cmd /r '
            - 'cmd.exe /c '
            - 'cmd.exe /k '
            - 'cmd.exe /r '
            - 'powershell'
            - 'mshta'
            - 'wscript'
            - 'cscript'
            - 'certutil'
            - 'bitsadmin'
            - 'bash.exe'
            - 'bash '
            - 'scrcons'
            - 'wmic '
            - 'wmic.exe'
            - 'forfiles'
            - 'scriptrunner'
            - 'hh.exe'
            - 'hh '
    condition: all of selection_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
Internal Research
2
Resolving title…
learn.microsoft.com
MITRE ATT&CK
Related Rules
SimilarDetectionhigh

Suspicious Scheduled Task Update

Detects update to a scheduled task event that contain suspicious keywords.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
1c0e41cd-21bb-4433-9acc-4a2cd6367b9b
Status
test
Level
high
Type
Detection
Created
Thu Jul 28
Modified
Fri Nov 18
Author
Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/process_creation/proc_creation_win_schtasks_change.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.executionattack.t1053.005
View on GitHub