EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Schtasks Creation Or Modification With SYSTEM Privileges

Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges

MITRE ATT&CK

T1053.005
privilege-escalationexecutionpersistence

Detection Query

selection_root:
  Image|endswith: \schtasks.exe
  CommandLine|contains:
    - " /change "
    - " /create "
selection_run:
  CommandLine|contains: "/ru "
selection_user:
  CommandLine|contains:
    - NT AUT
    - " SYSTEM "
filter_optional_teamviewer:
  Image|endswith: \schtasks.exe
  CommandLine|contains|all:
    - /TN TVInstallRestore
    - \TeamViewer_.exe
filter_optional_office:
  CommandLine|contains|all:
    - Subscription Heartbeat
    - \HeartbeatConfig.xml
    - \Microsoft Shared\OFFICE
filter_optional_avira:
  CommandLine|contains:
    - "/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR "
    - :\Program Files (x86)\Avira\System Speedup\setup\avira_speedup_setup.exe
    - /VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART" /RL HIGHEST
condition: all of selection_* and not 1 of filter_optional_*

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2022-07-28

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.privilege-escalationattack.executionattack.persistenceattack.t1053.005
Raw Content
title: Schtasks Creation Or Modification With SYSTEM Privileges
id: 89ca78fd-b37c-4310-b3d3-81a023f83936
status: test
description: Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges
references:
    - https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-28
modified: 2025-02-15
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1053.005
logsource:
    product: windows
    category: process_creation
detection:
    selection_root:
        Image|endswith: '\schtasks.exe'
        CommandLine|contains:
            - ' /change '
            - ' /create '
    selection_run:
        CommandLine|contains: '/ru '
    selection_user:
        CommandLine|contains:
            - 'NT AUT' # This covers the usual NT AUTHORITY\SYSTEM
            - ' SYSTEM ' # SYSTEM is a valid value for schtasks hence it gets it's own value with space
    filter_optional_teamviewer:
        # FP from test set in SIGMA
        # Cannot use ParentImage on all OSes for 4688 events
        # ParentImage|contains|all:
        #     - '\AppData\Local\Temp\'
        #     - 'TeamViewer_.exe'
        Image|endswith: '\schtasks.exe'
        CommandLine|contains|all:
            - '/TN TVInstallRestore'
            - '\TeamViewer_.exe'
    filter_optional_office:
        CommandLine|contains|all:
            # https://answers.microsoft.com/en-us/msoffice/forum/all/office-15-subscription-heartbeat-task-created-on/43ab5e53-a9fb-47c6-8c14-44889974b9ff
            - 'Subscription Heartbeat'
            - '\HeartbeatConfig.xml'
            - '\Microsoft Shared\OFFICE'
    filter_optional_avira:
        CommandLine|contains:
            - '/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR '
            - ':\Program Files (x86)\Avira\System Speedup\setup\avira_speedup_setup.exe'
            - '/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART" /RL HIGHEST'
    condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high