← Back to Explore
sigmamediumHunting
Suspicious Schtasks Schedule Type With High Privileges
Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type
Detection Query
selection_img:
- Image|endswith: \schtasks.exe
- OriginalFileName: schtasks.exe
selection_time:
CommandLine|contains:
- " ONLOGON "
- " ONSTART "
- " ONCE "
- " ONIDLE "
selection_privs:
CommandLine|contains:
- NT AUT
- " SYSTEM"
- HIGHEST
condition: all of selection_*
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2022-08-31
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.privilege-escalationattack.persistenceattack.executionattack.t1053.005
Raw Content
title: Suspicious Schtasks Schedule Type With High Privileges
id: 7a02e22e-b885-4404-b38b-1ddc7e65258a
related:
- id: 24c8392b-aa3c-46b7-a545-43f71657fe98
type: similar
status: test
description: Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-31
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_time:
CommandLine|contains:
- ' ONLOGON '
- ' ONSTART '
- ' ONCE '
- ' ONIDLE '
selection_privs:
CommandLine|contains:
- 'NT AUT' # This covers the usual NT AUTHORITY\SYSTEM
- ' SYSTEM' # SYSTEM is a valid value for schtasks hence it gets it's own value with space
- 'HIGHEST'
condition: all of selection_*
falsepositives:
- Some installers were seen using this method of creation unfortunately. Filter them in your environment
level: medium