Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location Attackers can create a simple looking task in order to avoid detection on creation as it’
title: Suspicious Modification Of Scheduled Tasks
id: 1c0e41cd-21bb-4433-9acc-4a2cd6367b9b
related:
- id: 614cf376-6651-47c4-9dcc-6b9527f749f4 # Security-Audting Eventlog
type: similar
status: test
description: |
Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location
Attackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on
Instead they modify the task after creation to include their malicious payload
references:
- Internal Research
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-28
modified: 2022-11-18
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
selection_schtasks:
Image|endswith: '\schtasks.exe'
CommandLine|contains|all:
- ' /Change '
- ' /TN '
selection_susp_locations:
CommandLine|contains:
- '\AppData\Local\Temp'
- '\AppData\Roaming\'
- '\Users\Public\'
- '\WINDOWS\Temp\'
- '\Desktop\'
- '\Downloads\'
- '\Temporary Internet'
- 'C:\ProgramData\'
- 'C:\Perflogs\'
- '%ProgramData%'
- '%appdata%'
- '%comspec%'
- '%localappdata%'
selection_susp_images:
CommandLine|contains:
- 'regsvr32'
- 'rundll32'
- 'cmd /c '
- 'cmd /k '
- 'cmd /r '
- 'cmd.exe /c '
- 'cmd.exe /k '
- 'cmd.exe /r '
- 'powershell'
- 'mshta'
- 'wscript'
- 'cscript'
- 'certutil'
- 'bitsadmin'
- 'bash.exe'
- 'bash '
- 'scrcons'
- 'wmic '
- 'wmic.exe'
- 'forfiles'
- 'scriptrunner'
- 'hh.exe'
- 'hh '
condition: all of selection_*
falsepositives:
- Unknown
level: high
imProcessCreate
| where (TargetProcessName endswith "\\schtasks.exe" and (TargetProcessCommandLine contains " /Change " and TargetProcessCommandLine contains " /TN ")) and (TargetProcessCommandLine contains "\\AppData\\Local\\Temp" or TargetProcessCommandLine contains "\\AppData\\Roaming\\" or TargetProcessCommandLine contains "\\Users\\Public\\" or TargetProcessCommandLine contains "\\WINDOWS\\Temp\\" or TargetProcessCommandLine contains "\\Desktop\\" or TargetProcessCommandLine contains "\\Downloads\\" or TargetProcessCommandLine contains "\\Temporary Internet" or TargetProcessCommandLine contains "C:\\ProgramData\\" or TargetProcessCommandLine contains "C:\\Perflogs\\" or TargetProcessCommandLine contains "%ProgramData%" or TargetProcessCommandLine contains "%appdata%" or TargetProcessCommandLine contains "%comspec%" or TargetProcessCommandLine contains "%localappdata%") and (TargetProcessCommandLine contains "regsvr32" or TargetProcessCommandLine contains "rundll32" or TargetProcessCommandLine contains "cmd /c " or TargetProcessCommandLine contains "cmd /k " or TargetProcessCommandLine contains "cmd /r " or TargetProcessCommandLine contains "cmd.exe /c " or TargetProcessCommandLine contains "cmd.exe /k " or TargetProcessCommandLine contains "cmd.exe /r " or TargetProcessCommandLine contains "powershell" or TargetProcessCommandLine contains "mshta" or TargetProcessCommandLine contains "wscript" or TargetProcessCommandLine contains "cscript" or TargetProcessCommandLine contains "certutil" or TargetProcessCommandLine contains "bitsadmin" or TargetProcessCommandLine contains "bash.exe" or TargetProcessCommandLine contains "bash " or TargetProcessCommandLine contains "scrcons" or TargetProcessCommandLine contains "wmic " or TargetProcessCommandLine contains "wmic.exe" or TargetProcessCommandLine contains "forfiles" or TargetProcessCommandLine contains "scriptrunner" or TargetProcessCommandLine contains "hh.exe" or TargetProcessCommandLine contains "hh ")| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |