← Back to Explore
sigmahighHunting
Schtasks From Suspicious Folders
Detects scheduled task creations that have suspicious action command and folder combinations
Detection Query
selection_img:
- Image|endswith: \schtasks.exe
- OriginalFileName: schtasks.exe
selection_create:
CommandLine|contains: " /create "
selection_command:
CommandLine|contains:
- powershell
- pwsh
- "cmd /c "
- "cmd /k "
- "cmd /r "
- "cmd.exe /c "
- "cmd.exe /k "
- "cmd.exe /r "
selection_all_folders:
CommandLine|contains:
- C:\ProgramData\
- "%ProgramData%"
condition: all of selection_*
Author
Florian Roth (Nextron Systems)
Created
2022-04-15
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.privilege-escalationattack.persistenceattack.executionattack.t1053.005
Raw Content
title: Schtasks From Suspicious Folders
id: 8a8379b8-780b-4dbf-b1e9-31c8d112fefb
status: test
description: Detects scheduled task creations that have suspicious action command and folder combinations
references:
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical
author: Florian Roth (Nextron Systems)
date: 2022-04-15
modified: 2022-11-18
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_create:
CommandLine|contains: ' /create '
selection_command:
CommandLine|contains:
- 'powershell'
- 'pwsh'
- 'cmd /c '
- 'cmd /k '
- 'cmd /r '
- 'cmd.exe /c '
- 'cmd.exe /k '
- 'cmd.exe /r '
selection_all_folders:
CommandLine|contains:
- 'C:\ProgramData\'
- '%ProgramData%'
condition: all of selection_*
falsepositives:
- Unknown
level: high