Detectionlowtest
Scheduled Task Creation Via Schtasks.EXE
Detects the creation of scheduled tasks by user accounts via the "schtasks" utility.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Florian Roth (Nextron Systems)Created Wed Jan 16Updated Wed Oct 2292626ddd-662c-49e3-ac59-f6535f12d189windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic3 selectors
detection:
selection:
Image|endswith: '\schtasks.exe'
CommandLine|contains: ' /create '
filter_main_system_user:
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
filter_optional_msoffice:
# schtasks.exe /Create /tn "Microsoft\Office\Office Performance Monitor" /XML "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Performance Monitor.xml"
ParentImage:
- 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
- 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
Image:
- 'C:\Windows\System32\schtasks.exe'
- 'C:\Windows\SysWOW64\schtasks.exe'
CommandLine|contains: 'Microsoft\Office\Office Performance Monitor'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*False Positives
Administrative activity
Software installation
References
MITRE ATT&CK
Sub-techniques
Software
CAR Analytics
2013-08-001 · CAR 2013-08-001
Other
stp.1u
Rule Metadata
Rule ID
92626ddd-662c-49e3-ac59-f6535f12d189
Status
test
Level
low
Type
Detection
Created
Wed Jan 16
Modified
Wed Oct 22
Path
rules/windows/process_creation/proc_creation_win_schtasks_creation.yml
Raw Tags
attack.executionattack.persistenceattack.privilege-escalationattack.t1053.005attack.s0111car.2013-08-001stp.1u