Detectionhightest

Suspicious Schtasks Execution AppData Folder

Detects the creation of a schtask that executes a file from C:\Users\<USER>\AppData\Local

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Martin Mueller, Nasreddine Bencherchali (Nextron Systems)Created Tue Mar 15Updated Thu Jul 28c5c00f49-b3f9-45a6-997e-cfdecc6e1967windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        Image|endswith: '\schtasks.exe'
        CommandLine|contains|all:
            - '/Create'
            - '/RU'
            - '/TR'
            - 'C:\Users\'
            - '\AppData\Local\'
        CommandLine|contains:
            - 'NT AUT' # This covers the usual NT AUTHORITY\SYSTEM
            - ' SYSTEM ' # SYSTEM is a valid value for schtasks hence it gets it's own value with space
    filter:
        # FP from test set in SIGMA
        ParentImage|contains|all:
            - '\AppData\Local\Temp\'
            - 'TeamViewer_.exe'
        Image|endswith: '\schtasks.exe'
        CommandLine|contains: '/TN TVInstallRestore'
    condition: selection and not filter