Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE

Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems)Created Mon Feb 21Updated Tue Oct 0781325ce1-be01-4250-944f-b4789644556fwindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic9 selectors
detection:
    selection_1_create:
        Image|endswith: '\schtasks.exe'
        CommandLine|contains|windash: ' /create '
    selection_1_all_folders:
        CommandLine|contains:
            - ':\Perflogs'
            - ':\Users\All Users\'
            - ':\Users\Default\'
            - ':\Users\Public'
            - ':\Windows\Temp'
            - '\AppData\Local\'
            - '\AppData\Roaming\'
            - '%AppData%'
            - '%Public%'
    selection_2_parent:
        ParentCommandLine|endswith: '\svchost.exe -k netsvcs -p -s Schedule'
    selection_2_some_folders:
        CommandLine|contains:
            - ':\Perflogs'
            - ':\Windows\Temp'
            - '\Users\Public'
            - '%Public%'
    filter_optional_other:
        - ParentCommandLine|contains: 'unattended.ini'
        - CommandLine|contains: 'update_task.xml'
    filter_optional_team_viewer:
        CommandLine|contains: '/Create /TN TVInstallRestore /TR'
    filter_optional_avira_install:
        # Comment out this filter if you dont use AVIRA
        CommandLine|contains|all:
            - '/Create /Xml '
            - '\Temp\.CR.'
            - '\Avira_Security_Installation.xml'
    filter_optional_avira_other:
        # Comment out this filter if you dont use AVIRA
        CommandLine|contains|all:
            - '/Create /F /TN'
            - '/Xml '
            - '\Temp\'
            - 'Avira_'
        CommandLine|contains:
            - '.tmp\UpdateFallbackTask.xml'
            - '.tmp\WatchdogServiceControlManagerTimeout.xml'
            - '.tmp\SystrayAutostart.xml'
            - '.tmp\MaintenanceTask.xml'
    filter_optional_klite_codec:
        CommandLine|contains|all:
            - '\Temp\'
            - '/Create /TN "klcp_update" /XML '
            - '\klcp_update_task.xml'
    condition: ( all of selection_1_* or all of selection_2_* ) and not 1 of filter_optional_*
False Positives

Benign scheduled tasks creations or executions that happen often during software installations

Software that uses the AppData folder and scheduled tasks to update the software in the AppData folders

References
1
Resolving title…
welivesecurity.com
2
Resolving title…
joesandbox.com
3
Resolving title…
blog.talosintelligence.com
MITRE ATT&CK
Related Rules
Derived

43f487f0-755f-4c2a-bce7-d6d2eec2fcf8

Rule not found
Rule Metadata
Rule ID
81325ce1-be01-4250-944f-b4789644556f
Status
test
Level
medium
Type
Detection
Created
Mon Feb 21
Modified
Tue Oct 07
Author
Florian Roth (Nextron Systems)
Path
rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.executionattack.t1053.005
View on GitHub