EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Scheduled Task Creation Masquerading as System Processes

Detects the creation of scheduled tasks that involve system processes, which may indicate malicious actors masquerading as or abusing these processes to execute payloads or maintain persistence.

MITRE ATT&CK

T1053.005T1036.004T1036.005
privilege-escalationexecutionpersistencedefense-evasion

Detection Query

selection_img:
  - Image|endswith: \schtasks.exe
  - OriginalFileName: schtasks.exe
selection_cli:
  CommandLine|contains|windash: " /create "
  CommandLine|contains:
    - " audiodg"
    - " conhost"
    - " dwm.exe"
    - " explorer"
    - " lsass"
    - " lsm"
    - " mmc"
    - " msiexec"
    - " regsvr32"
    - " rundll32"
    - " services"
    - " spoolsv"
    - " svchost"
    - " taskeng"
    - " taskhost"
    - " wininit"
    - " winlogon"
condition: all of selection_*

Author

Swachchhanda Shrawan Poudel (Nextron Systems)

Created

2025-02-05

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.privilege-escalationattack.executionattack.persistenceattack.t1053.005attack.defense-evasionattack.t1036.004attack.t1036.005
Raw Content
title: Scheduled Task Creation Masquerading as System Processes
id: 9f8573c9-22b4-40e3-89c1-72bc2b8d49ab
status: experimental
description: Detects the creation of scheduled tasks that involve system processes, which may indicate malicious actors masquerading as or abusing these processes to execute payloads or maintain persistence.
references:
    - https://tria.ge/241015-l98snsyeje/behavioral2
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-02-05
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1053.005
    - attack.defense-evasion
    - attack.t1036.004
    - attack.t1036.005
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\schtasks.exe'
        - OriginalFileName: 'schtasks.exe'
    selection_cli:
        CommandLine|contains|windash: ' /create '
        CommandLine|contains:
            - ' audiodg'
            - ' conhost'
            - ' dwm.exe'
            - ' explorer'
            - ' lsass'
            - ' lsm'
            - ' mmc'
            - ' msiexec'
            - ' regsvr32'
            - ' rundll32'
            - ' services'
            - ' spoolsv'
            - ' svchost'
            - ' taskeng'
            - ' taskhost'
            - ' wininit'
            - ' winlogon'
    condition: all of selection_*
falsepositives:
    - Legitimate system administration tasks scheduling trusted system processes.
level: high