Threat Huntmediumtest
Scheduled Task Creation From Potential Suspicious Parent Location
Detects the execution of "schtasks.exe" from a parent that is located in a potentially suspicious location. Multiple malware strains were seen exhibiting a similar behavior in order to achieve persistence.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Florian Roth (Nextron Systems)Created Wed Feb 23Updated Mon May 139494479d-d994-40bf-a8b1-eea890237021windows
Hunting Hypothesis
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic2 selectors
detection:
selection:
ParentImage|contains:
- ':\Temp\'
- '\AppData\Local\'
- '\AppData\Roaming\'
- '\Temporary Internet'
- '\Users\Public\'
- '\Windows\Temp\'
Image|endswith: '\schtasks.exe'
CommandLine|contains: '/Create '
filter_optional_common:
CommandLine|contains:
- 'update_task.xml'
- 'unattended.ini'
condition: selection and not 1 of filter_optional_*False Positives
Software installers that run from temporary folders and also install scheduled tasks
References
MITRE ATT&CK
Sub-techniques
Other
detection.threat-hunting
Rule Metadata
Rule ID
9494479d-d994-40bf-a8b1-eea890237021
Status
test
Level
medium
Type
Threat Hunt
Created
Wed Feb 23
Modified
Mon May 13
Path
rules-threat-hunting/windows/process_creation/proc_creation_win_schtasks_creation_from_susp_parent.yml
Raw Tags
attack.executionattack.persistenceattack.privilege-escalationattack.t1053.005detection.threat-hunting