Detectionmediumtest
Scheduled Task Executed Uncommon LOLBIN
Detects the execution of Scheduled Tasks where the program being run is located in a suspicious location or where it is an unusual program to be run from a Scheduled Task
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Mon Dec 05Updated Tue Feb 07f0767f15-0fb3-44b9-851e-e8d9a6d0005dwindows
Log Source
Windowstaskscheduler
ProductWindows← raw: windows
Servicetaskscheduler← raw: taskscheduler
Definition
Requirements: The "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and needs to be enabled in order for this detection to trigger
Detection Logic
Detection Logic1 selector
detection:
selection:
EventID: 129 # Created Task Process
Path|endswith:
- '\calc.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\mspaint.exe'
- '\notepad.exe'
- '\regsvr32.exe'
# - '\rundll32.exe'
- '\wscript.exe'
# filter_system:
# Path|endswith: '\rundll32.exe'
# TaskName|startswith: '\Microsoft\Windows\'
# condition: selection and not 1 of filter_*
condition: selectionFalse Positives
False positives may occur with some of the selected binaries if you have tasks using them (which could be very common in your environment). Exclude all the specific trusted tasks before using this rule
References
1
Resolving title…
Internal ResearchMITRE ATT&CK
Rule Metadata
Rule ID
f0767f15-0fb3-44b9-851e-e8d9a6d0005d
Status
test
Level
medium
Type
Detection
Created
Mon Dec 05
Modified
Tue Feb 07
Path
rules/windows/builtin/taskscheduler/win_taskscheduler_lolbin_execution_via_task_scheduler.yml
Raw Tags
attack.privilege-escalationattack.executionattack.persistenceattack.t1053.005