Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Scheduled TaskCache Change by Uncommon Program

Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Syed HasanCreated Fri Jun 18Updated Wed Oct 224720b7df-40c3-48fd-bbdf-fd4b3c464f0dwindows
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic17 selectors
detection:
    selection:
        TargetObject|contains: 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\'
    filter_main_empty:
        Details: '(Empty)'
    filter_main_null:
        Details: null
    filter_main_other:
        TargetObject|contains:
            - 'Microsoft\Windows\UpdateOrchestrator'
            - 'Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask\Index'
            - 'Microsoft\Windows\Flighting\OneSettings\RefreshCache\Index'
    filter_main_mousocoreworker:
        Image|endswith: 'C:\Windows\System32\MoUsoCoreWorker.exe'
    filter_main_services:
        Image|endswith: 'C:\Windows\System32\services.exe'
    filter_main_tiworker:
        Image|startswith: 'C:\Windows\'
        Image|endswith: '\TiWorker.exe'
    filter_main_svchost:
        Image: 'C:\WINDOWS\system32\svchost.exe'
    filter_main_ngen:
        Image|startswith: 'C:\Windows\Microsoft.NET\Framework' # \Framework\ and \Framework64\
        Image|endswith: '\ngen.exe'
        TargetObject|contains:
            - '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B66B135D-DA06-4FC4-95F8-7458E1D10129}'
            - '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\.NET Framework\.NET Framework NGEN'
    filter_main_office:
        Image:
            - 'C:\Program Files\Microsoft Office\root\Integration\Integrator.exe'
            - 'C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe'
            - 'C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe'
            - 'C:\Program Files (x86)\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe'
    filter_main_msiexec:
        Image: 'C:\Windows\System32\msiexec.exe'
    filter_main_explorer:
        Image: 'C:\Windows\explorer.exe'
        TargetObject|contains: '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\PLA\Server Manager Performance Monitor\'
    filter_main_system:
        Image: 'System'
    filter_main_runtimebroker:
        Image: 'C:\Windows\System32\RuntimeBroker.exe'
    filter_optional_dropbox_updater:
        Image:
            - 'C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe'
            - 'C:\Program Files\Dropbox\Update\DropboxUpdate.exe'
    filter_optional_edge:
        Image|endswith:
            - 'C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe'
            - 'C:\Program Files\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe'
    filter_optional_onedrive:
        Image|endswith:
            - 'C:\Program Files (x86)\Microsoft OneDrive\OneDrive.exe'
            - 'C:\Program Files\Microsoft OneDrive\OneDrive.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
thedfirreport.com
2
Resolving title…
labs.f-secure.com
MITRE ATT&CK
Rule Metadata
Rule ID
4720b7df-40c3-48fd-bbdf-fd4b3c464f0d
Status
test
Level
high
Type
Detection
Created
Fri Jun 18
Modified
Wed Oct 22
Author
Syed Hasan
Path
rules/windows/registry/registry_set/registry_set_taskcache_entry.yml
Raw Tags
attack.privilege-escalationattack.executionattack.persistenceattack.t1053attack.t1053.005
View on GitHub