Detectionmediumtest

Scheduled Task Executed From A Suspicious Location

Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Mon Dec 05Updated Tue Feb 07424273ea-7cf8-43a6-b712-375f925e481fwindows

Log Source

Windowstaskscheduler

ProductWindows← raw: windows

Servicetaskscheduler← raw: taskscheduler

Definition

Requirements: The "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and needs to be enabled in order for this detection to trigger

Detection Logic

detection:
    selection:
        EventID: 129 # Created Task Process
        Path|contains:
            - 'C:\Windows\Temp\'
            - '\AppData\Local\Temp\'
            - '\Desktop\'
            - '\Downloads\'
            - '\Users\Public\'
            - 'C:\Temp\'
    # If you experience FP. Uncomment the filter below and add the specific TaskName with the Program to it
    # filter:
    #     TaskName: '\Exact\Task\Name'
    #     Path: 'Exact\Path'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

Internal Research

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0002 · Execution TA0003 · Persistence

Sub-techniques

T1053.005 · Scheduled Task

Rule Metadata

Rule ID

424273ea-7cf8-43a6-b712-375f925e481f

Status

test

Level

medium

Type

Detection

Created

Mon Dec 05

Modified

Tue Feb 07

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/builtin/taskscheduler/win_taskscheduler_execution_from_susp_locations.yml

Raw Tags

attack.privilege-escalationattack.executionattack.persistenceattack.t1053.005

View on GitHub