EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Suspicious Modification Of Scheduled Tasks

Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location Attackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on Instead they modify the task after creation to include their malicious payload

MITRE ATT&CK

T1053.005
privilege-escalationpersistenceexecution

Detection Query

selection_schtasks:
  Image|endswith: \schtasks.exe
  CommandLine|contains|all:
    - " /Change "
    - " /TN "
selection_susp_locations:
  CommandLine|contains:
    - \AppData\Local\Temp
    - \AppData\Roaming\
    - \Users\Public\
    - \WINDOWS\Temp\
    - \Desktop\
    - \Downloads\
    - \Temporary Internet
    - C:\ProgramData\
    - C:\Perflogs\
    - "%ProgramData%"
    - "%appdata%"
    - "%comspec%"
    - "%localappdata%"
selection_susp_images:
  CommandLine|contains:
    - regsvr32
    - rundll32
    - "cmd /c "
    - "cmd /k "
    - "cmd /r "
    - "cmd.exe /c "
    - "cmd.exe /k "
    - "cmd.exe /r "
    - powershell
    - mshta
    - wscript
    - cscript
    - certutil
    - bitsadmin
    - bash.exe
    - "bash "
    - scrcons
    - "wmic "
    - wmic.exe
    - forfiles
    - scriptrunner
    - hh.exe
    - "hh "
condition: all of selection_*

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2022-07-28

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.privilege-escalationattack.persistenceattack.executionattack.t1053.005
Raw Content
title: Suspicious Modification Of Scheduled Tasks
id: 1c0e41cd-21bb-4433-9acc-4a2cd6367b9b
related:
    - id: 614cf376-6651-47c4-9dcc-6b9527f749f4 # Security-Audting Eventlog
      type: similar
status: test
description: |
    Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location
    Attackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on
    Instead they modify the task after creation to include their malicious payload
references:
    - Internal Research
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-28
modified: 2022-11-18
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.t1053.005
logsource:
    product: windows
    category: process_creation
detection:
    selection_schtasks:
        Image|endswith: '\schtasks.exe'
        CommandLine|contains|all:
            - ' /Change '
            - ' /TN '
    selection_susp_locations:
        CommandLine|contains:
            - '\AppData\Local\Temp'
            - '\AppData\Roaming\'
            - '\Users\Public\'
            - '\WINDOWS\Temp\'
            - '\Desktop\'
            - '\Downloads\'
            - '\Temporary Internet'
            - 'C:\ProgramData\'
            - 'C:\Perflogs\'
            - '%ProgramData%'
            - '%appdata%'
            - '%comspec%'
            - '%localappdata%'
    selection_susp_images:
        CommandLine|contains:
            - 'regsvr32'
            - 'rundll32'
            - 'cmd /c '
            - 'cmd /k '
            - 'cmd /r '
            - 'cmd.exe /c '
            - 'cmd.exe /k '
            - 'cmd.exe /r '
            - 'powershell'
            - 'mshta'
            - 'wscript'
            - 'cscript'
            - 'certutil'
            - 'bitsadmin'
            - 'bash.exe'
            - 'bash '
            - 'scrcons'
            - 'wmic '
            - 'wmic.exe'
            - 'forfiles'
            - 'scriptrunner'
            - 'hh.exe'
            - 'hh '
    condition: all of selection_*
falsepositives:
    - Unknown
level: high