Detects scheduled task creation using “schtasks” that contain potentially suspicious or uncommon commands
title: Suspicious Command Patterns In Scheduled Task Creation
id: f2c64357-b1d2-41b7-849f-34d2682c0fad
status: test
description: Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands
references:
- https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/
- https://twitter.com/RedDrip7/status/1506480588827467785
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf
author: Florian Roth (Nextron Systems)
date: 2022-02-23
modified: 2024-03-19
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
selection_schtasks:
Image|endswith: '\schtasks.exe'
CommandLine|contains: '/Create '
selection_pattern_1:
CommandLine|contains:
- '/sc minute '
- '/ru system '
selection_pattern_2:
CommandLine|contains:
- 'cmd /c'
- 'cmd /k'
- 'cmd /r'
- 'cmd.exe /c '
- 'cmd.exe /k '
- 'cmd.exe /r '
selection_uncommon:
CommandLine|contains:
- ' -decode '
- ' -enc '
- ' -w hidden '
- ' bypass '
- ' IEX'
- '.DownloadData'
- '.DownloadFile'
- '.DownloadString'
- '/c start /min ' # https://twitter.com/RedDrip7/status/1506480588827467785
- 'FromBase64String'
- 'mshta http'
- 'mshta.exe http'
selection_anomaly_1:
CommandLine|contains:
- ':\ProgramData\'
- ':\Temp\'
- ':\Tmp\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\AppData\'
- '%AppData%'
- '%Temp%'
- '%tmp%'
selection_anomaly_2:
CommandLine|contains:
- 'cscript'
- 'curl'
- 'wscript'
condition: selection_schtasks and ( all of selection_pattern_* or selection_uncommon or all of selection_anomaly_* )
falsepositives:
- Software installers that run from temporary folders and also install scheduled tasks are expected to generate some false positives
level: high
imProcessCreate
| where (TargetProcessName endswith "\\schtasks.exe" and TargetProcessCommandLine contains "/Create ") and (((TargetProcessCommandLine contains "/sc minute " or TargetProcessCommandLine contains "/ru system ") and (TargetProcessCommandLine contains "cmd /c" or TargetProcessCommandLine contains "cmd /k" or TargetProcessCommandLine contains "cmd /r" or TargetProcessCommandLine contains "cmd.exe /c " or TargetProcessCommandLine contains "cmd.exe /k " or TargetProcessCommandLine contains "cmd.exe /r ")) or (TargetProcessCommandLine contains " -decode " or TargetProcessCommandLine contains " -enc " or TargetProcessCommandLine contains " -w hidden " or TargetProcessCommandLine contains " bypass " or TargetProcessCommandLine contains " IEX" or TargetProcessCommandLine contains ".DownloadData" or TargetProcessCommandLine contains ".DownloadFile" or TargetProcessCommandLine contains ".DownloadString" or TargetProcessCommandLine contains "/c start /min " or TargetProcessCommandLine contains "FromBase64String" or TargetProcessCommandLine contains "mshta http" or TargetProcessCommandLine contains "mshta.exe http") or ((TargetProcessCommandLine contains ":\\ProgramData\\" or TargetProcessCommandLine contains ":\\Temp\\" or TargetProcessCommandLine contains ":\\Tmp\\" or TargetProcessCommandLine contains ":\\Users\\Public\\" or TargetProcessCommandLine contains ":\\Windows\\Temp\\" or TargetProcessCommandLine contains "\\AppData\\" or TargetProcessCommandLine contains "%AppData%" or TargetProcessCommandLine contains "%Temp%" or TargetProcessCommandLine contains "%tmp%") and (TargetProcessCommandLine contains "cscript" or TargetProcessCommandLine contains "curl" or TargetProcessCommandLine contains "wscript")))| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |