related
high
Windows Binaries Write Suspicious Extensions
Detects Windows executables that write files with suspicious extensions
status test
author Nasreddine Bencherchali (Nextron Systems)
id b8fd0e93-ff58-4cbd-8f48-1c114e342e62
license Sigma · DRL-1.1
view Sigma YAML
title: Windows Binaries Write Suspicious Extensions
id: b8fd0e93-ff58-4cbd-8f48-1c114e342e62
related:
- id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43
type: derived
status: test
description: Detects Windows executables that write files with suspicious extensions
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-12
modified: 2025-10-07
tags:
- attack.stealth
- attack.t1036
logsource:
category: file_event
product: windows
detection:
selection_generic:
Image|endswith:
- '\csrss.exe'
- '\lsass.exe'
- '\RuntimeBroker.exe'
- '\sihost.exe'
- '\smss.exe'
- '\wininit.exe'
- '\winlogon.exe'
TargetFilename|endswith:
- '.bat'
- '.dll'
- '.exe'
- '.hta'
- '.iso'
- '.ps1'
- '.txt'
- '.vbe'
- '.vbs'
selection_special:
Image|endswith:
- '\dllhost.exe'
- '\rundll32.exe'
- '\svchost.exe'
TargetFilename|endswith:
- '.bat'
- '.hta'
- '.iso'
- '.ps1'
- '.vbe'
- '.vbs'
filter_main_AppLockerPolicyTest:
Image: 'C:\Windows\System32\dllhost.exe'
TargetFilename|contains|all:
- ':\Users\'
- '\AppData\Local\Temp\__PSScriptPolicyTest_'
TargetFilename|endswith: '.ps1'
filter_main_script_gpo_machine:
Image: 'C:\Windows\system32\svchost.exe'
TargetFilename|contains|all:
- 'C:\Windows\System32\GroupPolicy\DataStore\'
- '\sysvol\'
- '\Policies\'
- '\Machine\Scripts\Startup\'
TargetFilename|endswith:
- '.ps1'
- '.bat'
filter_main_clipchamp:
Image: 'C:\Windows\system32\svchost.exe'
TargetFilename|contains|all:
- 'C:\Program Files\WindowsApps\Clipchamp'
- '.ps1'
filter_main_powershell_preview:
Image:
- 'C:\Windows\system32\svchost.exe'
- 'C:\Windows\SysWOW64\svchost.exe'
TargetFilename|startswith:
- 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
- 'C:\Program Files (x86)\WindowsApps\Microsoft.PowerShellPreview'
TargetFilename|endswith: '.ps1'
condition: 1 of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
related
high
Renamed CreateDump Utility Execution
Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory
status test
author Florian Roth (Nextron Systems)
id 1a1ed54a-2ba4-4221-94d5-01dee560d71e
license Sigma · DRL-1.1
view Sigma YAML
title: Renamed CreateDump Utility Execution
id: 1a1ed54a-2ba4-4221-94d5-01dee560d71e
related:
- id: 515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48
type: similar
status: test
description: Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory
references:
- https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
- https://twitter.com/bopin2020/status/1366400799199272960
author: Florian Roth (Nextron Systems)
date: 2022-09-20
modified: 2023-02-14
tags:
- attack.stealth
- attack.t1036
- attack.t1003.001
- attack.credential-access
logsource:
category: process_creation
product: windows
detection:
selection_pe:
OriginalFileName: 'FX_VER_INTERNALNAME_STR'
selection_cli:
- CommandLine|contains|all:
- ' -u ' # Short version of '--full'
- ' -f ' # Short version of '--name'
- '.dmp'
- CommandLine|contains|all:
- ' --full ' # Short version of '--full'
- ' --name ' # Short version of '--name'
- '.dmp'
filter:
Image|endswith: '\createdump.exe'
condition: 1 of selection_* and not filter
falsepositives:
- Command lines that use the same flags
level: high
related
high
Forfiles.EXE Child Process Masquerading
Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory.
status test
author Nasreddine Bencherchali (Nextron Systems), Anish Bogati
id f53714ec-5077-420e-ad20-907ff9bb2958
license Sigma · DRL-1.1
view Sigma YAML
title: Forfiles.EXE Child Process Masquerading
id: f53714ec-5077-420e-ad20-907ff9bb2958
status: test
description: |
Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory.
references:
- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/
author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati
date: 2024-01-05
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
# Notes:
# - The parent must not have CLI options
# - The Child Image must be named "cmd" as its hardcoded in the "forfiles" binary
# - The Child CLI will always contains "/c echo" as its hardcoded in the original "forfiles" binary
ParentCommandLine|endswith:
- '.exe'
- '.exe"'
Image|endswith: '\cmd.exe'
CommandLine|startswith: '/c echo "'
filter_main_parent_not_sys:
ParentImage|contains:
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
ParentImage|endswith: '\forfiles.exe'
Image|contains:
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
Image|endswith: '\cmd.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
related
high
CreateDump Process Dump
Detects uses of the createdump.exe LOLOBIN utility to dump process memory
status test
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
id 515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48
license Sigma · DRL-1.1
view Sigma YAML
title: CreateDump Process Dump
id: 515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48
related:
- id: 1a1ed54a-2ba4-4221-94d5-01dee560d71e
type: similar
status: test
description: Detects uses of the createdump.exe LOLOBIN utility to dump process memory
references:
- https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
- https://twitter.com/bopin2020/status/1366400799199272960
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-04
modified: 2022-08-19
tags:
- attack.stealth
- attack.t1036
- attack.t1003.001
- attack.credential-access
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\createdump.exe'
- OriginalFileName: 'FX_VER_INTERNALNAME_STR'
selection_cli:
CommandLine|contains:
- ' -u ' # Short version of '--full'
- ' --full '
- ' -f ' # Short version of '--name'
- ' --name '
- '.dmp '
condition: all of selection_*
falsepositives:
- Command lines that use the same flags
level: high
related
high
Process Memory Dump Via Comsvcs.DLL
Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)
status test
author Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
id 646ea171-dded-4578-8a4d-65e9822892e3
license Sigma · DRL-1.1
view Sigma YAML
title: Process Memory Dump Via Comsvcs.DLL
id: 646ea171-dded-4578-8a4d-65e9822892e3
related:
- id: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c
type: obsolete
status: test
description: Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)
references:
- https://twitter.com/shantanukhande/status/1229348874298388484
- https://twitter.com/pythonresponder/status/1385064506049630211?s=21
- https://twitter.com/Hexacorn/status/1224848930795552769
- https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
- https://twitter.com/SBousseaden/status/1167417096374050817
- https://twitter.com/Wietze/status/1542107456507203586
- https://github.com/Hackndo/lsassy/blob/14d8f8ae596ecf22b449bfe919829173b8a07635/lsassy/dumpmethod/comsvcs.py
- https://www.youtube.com/watch?v=52tAmVLg1KM&t=2070s
author: Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2020-02-18
modified: 2025-02-23
tags:
- attack.credential-access
- attack.stealth
- attack.t1036
- attack.t1003.001
- car.2013-05-009
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
- CommandLine|contains: 'rundll32'
selection_cli_1:
CommandLine|contains|all:
- 'comsvcs'
- 'full'
CommandLine|contains:
- '#-'
- '#+'
- '#24'
- '24 '
- 'MiniDump' # Matches MiniDump and MinidumpW
- '#65560' # ordinal is 16 bit ordinal, so if you make the number large enough (don't fit in 16 bit space), then it normally wraps around. for e.g ordinal 24 can be also represented by 65560 (65536+24)
selection_generic:
CommandLine|contains|all:
- '24'
- 'comsvcs'
- 'full'
CommandLine|contains:
- ' #'
- ',#'
- ', #'
- '"#'
condition: (selection_img and 1 of selection_cli_*) or selection_generic
falsepositives:
- Unlikely
level: high
related
high
Process Execution From A Potentially Suspicious Folder
Detects a potentially suspicious execution from an uncommon folder.
status test
author Florian Roth (Nextron Systems), Tim Shelton
id 3dfd06d2-eaf4-4532-9555-68aca59f57c4
license Sigma · DRL-1.1
view Sigma YAML
title: Process Execution From A Potentially Suspicious Folder
id: 3dfd06d2-eaf4-4532-9555-68aca59f57c4
status: test
description: Detects a potentially suspicious execution from an uncommon folder.
references:
- https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt
- https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
- https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md
author: Florian Roth (Nextron Systems), Tim Shelton
date: 2019-01-16
modified: 2024-07-12
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
- ':\Perflogs\'
- ':\Users\All Users\'
- ':\Users\Default\'
- ':\Users\NetworkService\'
- ':\Windows\addins\'
- ':\Windows\debug\'
- ':\Windows\Fonts\'
- ':\Windows\Help\'
- ':\Windows\IME\'
- ':\Windows\Media\'
- ':\Windows\repair\'
- ':\Windows\security\'
- ':\Windows\System32\Tasks\'
- ':\Windows\Tasks\'
- '$Recycle.bin'
- '\config\systemprofile\'
- '\Intel\Logs\'
- '\RSA\MachineKeys\'
filter_optional_ibm:
Image|startswith: 'C:\Users\Public\IBM\ClientSolutions\Start_Programs\'
filter_optional_citrix:
Image|startswith: 'C:\Windows\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\'
Image|endswith: '\CitrixReceiverUpdater.exe'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
related
high
Taskmgr as LOCAL_SYSTEM
Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM
status test
author Florian Roth (Nextron Systems)
id 9fff585c-c33e-4a86-b3cd-39312079a65f
license Sigma · DRL-1.1
view Sigma YAML
title: Taskmgr as LOCAL_SYSTEM
id: 9fff585c-c33e-4a86-b3cd-39312079a65f
status: test
description: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2018-03-18
modified: 2022-05-27
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
Image|endswith: '\taskmgr.exe'
condition: selection
falsepositives:
- Unknown
level: high
related
high
HackTool - XORDump Execution
Detects suspicious use of XORDump process memory dumping utility
status test
author Florian Roth (Nextron Systems)
id 66e563f9-1cbd-4a22-a957-d8b7c0f44372
license Sigma · DRL-1.1
view Sigma YAML
title: HackTool - XORDump Execution
id: 66e563f9-1cbd-4a22-a957-d8b7c0f44372
status: test
description: Detects suspicious use of XORDump process memory dumping utility
references:
- https://github.com/audibleblink/xordump
author: Florian Roth (Nextron Systems)
date: 2022-01-28
modified: 2023-02-08
tags:
- attack.stealth
- attack.t1036
- attack.t1003.001
- attack.credential-access
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\xordump.exe'
- CommandLine|contains:
- ' -process lsass.exe '
- ' -m comsvcs '
- ' -m dbghelp '
- ' -m dbgcore '
condition: selection
falsepositives:
- Another tool that uses the command line switches of XORdump
level: high
related
high
Suspicious DumpMinitool Execution
Detects suspicious ways to use the "DumpMinitool.exe" binary
status test
author Florian Roth (Nextron Systems)
id eb1c4225-1c23-4241-8dd4-051389fde4ce
license Sigma · DRL-1.1
view Sigma YAML
title: Suspicious DumpMinitool Execution
id: eb1c4225-1c23-4241-8dd4-051389fde4ce
status: test
description: Detects suspicious ways to use the "DumpMinitool.exe" binary
references:
- https://twitter.com/mrd0x/status/1511415432888131586
- https://twitter.com/mrd0x/status/1511489821247684615
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/
author: Florian Roth (Nextron Systems)
date: 2022-04-06
modified: 2023-04-12
tags:
- attack.credential-access
- attack.stealth
- attack.t1036
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith:
- '\DumpMinitool.exe'
- '\DumpMinitool.x86.exe'
- '\DumpMinitool.arm64.exe'
- OriginalFileName:
- 'DumpMinitool.exe'
- 'DumpMinitool.x86.exe'
- 'DumpMinitool.arm64.exe'
filter_folder:
Image|contains:
- '\Microsoft Visual Studio\'
- '\Extensions\' # https://github.com/microsoft/vstest/blob/b2e2126f1aa7e5753cafe9515563c99ade6a59ce/src/package/nuspec/Microsoft.TestPlatform.Portable.nuspec#L159
susp_flags:
CommandLine|contains: '.txt'
cmd_has_flags:
CommandLine|contains:
- ' Full'
- ' Mini'
- ' WithHeap'
filter_cmd_misses_flags:
CommandLine|contains: '--dumpType'
condition: selection and ( ( not filter_folder ) or susp_flags or ( cmd_has_flags and not filter_cmd_misses_flags ) )
falsepositives:
- Unknown
level: high
related
high
Potential SysInternals ProcDump Evasion
Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name
status test
author Florian Roth (Nextron Systems)
id 79b06761-465f-4f88-9ef2-150e24d3d737
license Sigma · DRL-1.1
view Sigma YAML
title: Potential SysInternals ProcDump Evasion
id: 79b06761-465f-4f88-9ef2-150e24d3d737
status: test
description: Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name
references:
- https://twitter.com/mrd0x/status/1480785527901204481
author: Florian Roth (Nextron Systems)
date: 2022-01-11
modified: 2023-05-09
tags:
- attack.stealth
- attack.t1036
- attack.t1003.001
- attack.credential-access
logsource:
category: process_creation
product: windows
detection:
selection_1:
CommandLine|contains:
- 'copy procdump'
- 'move procdump'
selection_2:
CommandLine|contains|all:
- 'copy '
- '.dmp '
CommandLine|contains:
- '2.dmp'
- 'lsass'
- 'out.dmp'
selection_3:
CommandLine|contains:
- 'copy lsass.exe_' # procdump default pattern e.g. lsass.exe_220111_085234.dmp
- 'move lsass.exe_' # procdump default pattern e.g. lsass.exe_220111_085234.dmp
condition: 1 of selection_*
falsepositives:
- False positives are expected in cases in which ProcDump just gets copied to a different directory without any renaming
level: high
related
high
System File Execution Location Anomaly
Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.
status test
author Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)
id e4a6b256-3e47-40fc-89d2-7a477edd6915
license Sigma · DRL-1.1
view Sigma YAML
title: System File Execution Location Anomaly
id: e4a6b256-3e47-40fc-89d2-7a477edd6915
related:
- id: be58d2e2-06c8-4f58-b666-b99f6dc3b6cd # Dedicated SvcHost rule
type: derived
status: test
description: |
Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.
references:
- https://twitter.com/GelosSnake/status/934900723426439170
- https://asec.ahnlab.com/en/39828/
- https://www.splunk.com/en_us/blog/security/inno-setup-malware-redline-stealer-campaign.html
author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2017-11-27
modified: 2026-02-12
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\atbroker.exe'
- '\audiodg.exe'
- '\bcdedit.exe'
- '\bitsadmin.exe'
- '\certreq.exe'
- '\certutil.exe'
- '\cmstp.exe'
- '\conhost.exe'
- '\consent.exe'
- '\cscript.exe'
- '\csrss.exe'
- '\dashost.exe'
- '\defrag.exe'
- '\dfrgui.exe' # Was seen used by Lazarus Group - https://asec.ahnlab.com/en/39828/
- '\dism.exe'
- '\dllhost.exe'
- '\dllhst3g.exe'
- '\dwm.exe'
- '\eventvwr.exe'
- '\fsquirt.exe' # was seen used by sidewinder APT - https://securelist.com/sidewinder-apt/114089/
- '\finger.exe'
- '\logonui.exe'
- '\LsaIso.exe'
- '\lsass.exe'
- '\lsm.exe'
- '\msiexec.exe'
- '\ntoskrnl.exe'
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\runonce.exe'
- '\RuntimeBroker.exe'
- '\schtasks.exe'
- '\services.exe'
- '\sihost.exe'
- '\smartscreen.exe'
- '\smss.exe'
- '\spoolsv.exe'
- '\svchost.exe'
- '\taskhost.exe'
- '\taskhostw.exe'
- '\Taskmgr.exe'
- '\userinit.exe'
- '\werfault.exe'
- '\werfaultsecure.exe'
- '\wininit.exe'
- '\winlogon.exe'
- '\winver.exe'
- '\wlanext.exe'
- '\wscript.exe'
- '\wsl.exe'
- '\wsmprovhost.exe' # Was seen used by Lazarus Group - https://asec.ahnlab.com/en/39828/
filter_main_generic:
Image|startswith:
- 'C:\$WINDOWS.~BT\'
- 'C:\$WinREAgent\'
- 'C:\Windows\SoftwareDistribution\'
- 'C:\Windows\System32\'
- 'C:\Windows\SystemTemp\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\uus\'
- 'C:\Windows\WinSxS\'
filter_optional_system32:
Image|contains: '\SystemRoot\System32\'
filter_main_powershell:
Image|contains:
- 'C:\Program Files\PowerShell\7\'
- 'C:\Program Files\PowerShell\7-preview\'
- 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
- '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview' # pwsh installed from Microsoft Store
Image|endswith: '\pwsh.exe'
filter_main_wsl_programfiles:
Image|startswith:
- 'C:\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux'
- 'C:\Program Files\WSL\'
Image|endswith: '\wsl.exe'
filter_main_wsl_appdata:
Image|startswith: C:\Users\'
Image|contains: '\AppData\Local\Microsoft\WindowsApps\'
Image|endswith: '\wsl.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly/info.yml
related
high
Suspicious MSDT Parent Process
Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation
status test
author Nextron Systems
id 7a74da6b-ea76-47db-92cc-874ad90df734
license Sigma · DRL-1.1
view Sigma YAML
title: Suspicious MSDT Parent Process
id: 7a74da6b-ea76-47db-92cc-874ad90df734
status: test
description: Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation
references:
- https://twitter.com/nao_sec/status/1530196847679401984
- https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/
author: Nextron Systems
date: 2022-06-01
modified: 2023-02-06
tags:
- attack.stealth
- attack.t1036
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\schtasks.exe'
- '\wmic.exe'
- '\wscript.exe'
- '\wsl.exe'
# Note: office applications are covered by: 438025f9-5856-4663-83f7-52f878a70a50
selection_msdt:
- Image|endswith: '\msdt.exe'
- OriginalFileName: 'msdt.exe'
condition: all of selection_*
falsepositives:
- Unknown
level: high
related
high
Suspicious Windows Update Agent Empty Cmdline
Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags
status test
author Florian Roth (Nextron Systems)
id 52d097e2-063e-4c9c-8fbb-855c8948d135
license Sigma · DRL-1.1
view Sigma YAML
title: Suspicious Windows Update Agent Empty Cmdline
id: 52d097e2-063e-4c9c-8fbb-855c8948d135
status: test
description: |
Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags
references:
- https://redcanary.com/blog/blackbyte-ransomware/
author: Florian Roth (Nextron Systems)
date: 2022-02-26
modified: 2023-11-11
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\Wuauclt.exe'
- OriginalFileName: 'Wuauclt.exe'
selection_cli:
CommandLine|endswith:
- 'Wuauclt'
- 'Wuauclt.exe'
condition: all of selection*
falsepositives:
- Unknown
level: high
related
high
Suspicious Calculator Usage
Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion.
status test
author Florian Roth (Nextron Systems)
id 737e618a-a410-49b5-bec3-9e55ff7fbc15
license Sigma · DRL-1.1
view Sigma YAML
title: Suspicious Calculator Usage
id: 737e618a-a410-49b5-bec3-9e55ff7fbc15
status: test
description: |
Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion.
references:
- https://twitter.com/ItsReallyNick/status/1094080242686312448
author: Florian Roth (Nextron Systems)
date: 2019-02-09
modified: 2023-11-09
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection_1:
CommandLine|contains: '\calc.exe '
selection_2:
Image|endswith: '\calc.exe'
filter_main_known_locations:
Image|contains:
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
- ':\Windows\WinSxS\'
condition: selection_1 or ( selection_2 and not filter_main_known_locations )
falsepositives:
- Unknown
level: high
related
high
Potential LSASS Process Dump Via Procdump
Detects potential credential harvesting attempts through LSASS memory dumps using ProcDump.
This rule identifies suspicious command-line patterns that combine memory dump flags (-ma, -mm, -mp) with LSASS-related process markers.
LSASS (Local Security Authority Subsystem Service) contains sensitive authentication data including plaintext passwords, NTLM hashes, and Kerberos tickets in memory.
Attackers commonly dump LSASS memory to extract credentials for lateral movement and privilege escalation.
status stable
author Florian Roth (Nextron Systems)
id 5afee48e-67dd-4e03-a783-f74259dcf998
license Sigma · DRL-1.1
view Sigma YAML
title: Potential LSASS Process Dump Via Procdump
id: 5afee48e-67dd-4e03-a783-f74259dcf998
status: stable
description: |
Detects potential credential harvesting attempts through LSASS memory dumps using ProcDump.
This rule identifies suspicious command-line patterns that combine memory dump flags (-ma, -mm, -mp) with LSASS-related process markers.
LSASS (Local Security Authority Subsystem Service) contains sensitive authentication data including plaintext passwords, NTLM hashes, and Kerberos tickets in memory.
Attackers commonly dump LSASS memory to extract credentials for lateral movement and privilege escalation.
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
- https://research.splunk.com/endpoint/3742ebfe-64c2-11eb-ae93-0242ac130002
- https://x.com/wietze/status/1958302556033065292?s=12
author: Florian Roth (Nextron Systems)
date: 2018-10-30
modified: 2025-10-19
tags:
- attack.stealth
- attack.t1036
- attack.credential-access
- attack.t1003.001
- car.2013-05-009
logsource:
category: process_creation
product: windows
detection:
selection_flags:
CommandLine|contains|windash:
- ' -ma '
- ' -mm ' # Mini dump
- ' -mp ' # Miniplus dump
selection_process:
CommandLine|contains:
- ' ls' # Short for lsass
- ' keyiso'
- ' samss'
condition: all of selection_*
falsepositives:
- Unlikely, because no one should dump an lsass process memory
- Another tool that uses command line flags similar to ProcDump
level: high
related
high
Suspicious Child Process Of Wermgr.EXE
Detects suspicious Windows Error Reporting manager (wermgr.exe) child process
status test
author Florian Roth (Nextron Systems)
id 396f6630-f3ac-44e3-bfc8-1b161bc00c4e
license Sigma · DRL-1.1
view Sigma YAML
title: Suspicious Child Process Of Wermgr.EXE
id: 396f6630-f3ac-44e3-bfc8-1b161bc00c4e
related:
- id: 5394fcc7-aeb2-43b5-9a09-cac9fc5edcd5
type: similar
status: test
description: Detects suspicious Windows Error Reporting manager (wermgr.exe) child process
references:
- https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html
- https://www.echotrail.io/insights/search/wermgr.exe
- https://github.com/binderlabs/DirCreate2System
author: Florian Roth (Nextron Systems)
date: 2022-10-14
modified: 2024-08-29
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\wermgr.exe'
Image|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\ipconfig.exe'
- '\mshta.exe'
- '\net.exe'
- '\net1.exe'
- '\netstat.exe'
- '\nslookup.exe'
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\systeminfo.exe'
- '\whoami.exe'
- '\wscript.exe'
filter_main_rundll32:
Image|endswith: '\rundll32.exe'
CommandLine|contains|all:
- 'C:\Windows\system32\WerConCpl.dll'
- 'LaunchErcApp '
CommandLine|contains:
- '-queuereporting'
- '-responsepester'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
related
high
Renamed ZOHO Dctask64 Execution
Detects a renamed "dctask64.exe" execution, a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central.
This binary can be abused for DLL injection, arbitrary command and process execution.
status test
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
id 340a090b-c4e9-412e-bb36-b4b16fe96f9b
license Sigma · DRL-1.1
view Sigma YAML
title: Renamed ZOHO Dctask64 Execution
id: 340a090b-c4e9-412e-bb36-b4b16fe96f9b
status: test
description: |
Detects a renamed "dctask64.exe" execution, a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central.
This binary can be abused for DLL injection, arbitrary command and process execution.
references:
- https://twitter.com/gN3mes1s/status/1222088214581825540
- https://twitter.com/gN3mes1s/status/1222095963789111296
- https://twitter.com/gN3mes1s/status/1222095371175911424
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2020-01-28
modified: 2025-01-22
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1036
- attack.t1055.001
- attack.t1202
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
Hashes|contains:
- 'IMPHASH=6834B1B94E49701D77CCB3C0895E1AFD'
- 'IMPHASH=1BB6F93B129F398C7C4A76BB97450BBA'
- 'IMPHASH=FAA2AC19875FADE461C8D89DCF2710A3'
- 'IMPHASH=F1039CED4B91572AB7847D26032E6BBF'
filter_main_legit_name:
Image|endswith: '\dctask64.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
related
high
Sdiagnhost Calling Suspicious Child Process
Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)
status test
author Nextron Systems, @Kostastsale
id f3d39c45-de1a-4486-a687-ab126124f744
license Sigma · DRL-1.1
view Sigma YAML
title: Sdiagnhost Calling Suspicious Child Process
id: f3d39c45-de1a-4486-a687-ab126124f744
status: test
description: Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)
references:
- https://twitter.com/nao_sec/status/1530196847679401984
- https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
- https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/
- https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/
- https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/
author: Nextron Systems, @Kostastsale
date: 2022-06-01
modified: 2024-08-23
tags:
- attack.stealth
- attack.t1036
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\sdiagnhost.exe'
Image|endswith:
# Add more suspicious LOLBins
- '\powershell.exe'
- '\pwsh.exe'
- '\cmd.exe'
- '\mshta.exe'
- '\cscript.exe'
- '\wscript.exe'
- '\taskkill.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
# - '\csc.exe' # https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/
- '\calc.exe' # https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/
filter_main_cmd_bits:
Image|endswith: '\cmd.exe'
CommandLine|contains: 'bits'
filter_main_powershell_noprofile:
Image|endswith: '\powershell.exe'
CommandLine|endswith:
- '-noprofile -'
- '-noprofile'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
related
high
Suspicious Process Parents
Detects suspicious parent processes that should not have any children or should only have a single possible child program
status test
author Florian Roth (Nextron Systems)
id cbec226f-63d9-4eca-9f52-dfb6652f24df
license Sigma · DRL-1.1
view Sigma YAML
title: Suspicious Process Parents
id: cbec226f-63d9-4eca-9f52-dfb6652f24df
status: test
description: Detects suspicious parent processes that should not have any children or should only have a single possible child program
references:
- https://twitter.com/x86matthew/status/1505476263464607744?s=12
- https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b
author: Florian Roth (Nextron Systems)
date: 2022-03-21
modified: 2022-09-08
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\minesweeper.exe'
- '\winver.exe'
- '\bitsadmin.exe'
selection_special:
ParentImage|endswith:
- '\csrss.exe'
- '\certutil.exe'
# - '\schtasks.exe'
- '\eventvwr.exe'
- '\calc.exe'
- '\notepad.exe'
filter_special:
Image|endswith:
- '\WerFault.exe'
- '\wermgr.exe'
- '\conhost.exe' # csrss.exe, certutil.exe
- '\mmc.exe' # eventvwr.exe
- '\win32calc.exe' # calc.exe
- '\notepad.exe'
filter_null:
Image: null
condition: selection or ( selection_special and not 1 of filter_* )
falsepositives:
- Unknown
level: high
related
high
Renamed Plink Execution
Detects the execution of a renamed version of the Plink binary
status test
author Nasreddine Bencherchali (Nextron Systems)
id 1c12727d-02bf-45ff-a9f3-d49806a3cf43
license Sigma · DRL-1.1
view Sigma YAML
title: Renamed Plink Execution
id: 1c12727d-02bf-45ff-a9f3-d49806a3cf43
status: test
description: Detects the execution of a renamed version of the Plink binary
references:
- https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/
- https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-06
modified: 2023-02-03
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
- OriginalFileName: 'Plink'
- CommandLine|contains|all:
- ' -l forward'
- ' -P '
- ' -R '
filter:
Image|endswith: '\plink.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: high
related
high
Suspicious Process Masquerading As SvcHost.EXE
Detects a suspicious process that is masquerading as the legitimate "svchost.exe" by naming its binary "svchost.exe" and executing from an uncommon location.
Adversaries often disguise their malicious binaries by naming them after legitimate system processes like "svchost.exe" to evade detection.
status test
author Swachchhanda Shrawan Poudel
id be58d2e2-06c8-4f58-b666-b99f6dc3b6cd
license Sigma · DRL-1.1
view Sigma YAML
title: Suspicious Process Masquerading As SvcHost.EXE
id: be58d2e2-06c8-4f58-b666-b99f6dc3b6cd
related:
- id: 01d2e2a1-5f09-44f7-9fc1-24faa7479b6d
type: similar
- id: e4a6b256-3e47-40fc-89d2-7a477edd6915
type: similar
status: test
description: |
Detects a suspicious process that is masquerading as the legitimate "svchost.exe" by naming its binary "svchost.exe" and executing from an uncommon location.
Adversaries often disguise their malicious binaries by naming them after legitimate system processes like "svchost.exe" to evade detection.
references:
- https://tria.ge/240731-jh4crsycnb/behavioral2
- https://redcanary.com/blog/threat-detection/process-masquerading/
author: Swachchhanda Shrawan Poudel
date: 2024-08-07
tags:
- attack.stealth
- attack.t1036.005
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\svchost.exe'
filter_main_img_location:
Image:
- 'C:\Windows\System32\svchost.exe'
- 'C:\Windows\SysWOW64\svchost.exe'
filter_main_ofn:
OriginalFileName: 'svchost.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution/info.yml
related
high
Uncommon Svchost Command Line Parameter
Detects instances of svchost.exe running with an unusual or uncommon command line parameter by excluding known legitimate or common patterns.
This could point at a file masquerading as svchost, a process injection, or hollowing of a legitimate svchost instance.
status experimental
author Liran Ravich
id f17211f1-1f24-4d0c-829f-31e28dc93cdd
license Sigma · DRL-1.1
view Sigma YAML
title: Uncommon Svchost Command Line Parameter
id: f17211f1-1f24-4d0c-829f-31e28dc93cdd
status: experimental
description: |
Detects instances of svchost.exe running with an unusual or uncommon command line parameter by excluding known legitimate or common patterns.
This could point at a file masquerading as svchost, a process injection, or hollowing of a legitimate svchost instance.
references:
- https://cardinalops.com/blog/the-art-of-anomaly-hunting-patterns-detection/
- https://www.security.com/threat-intelligence/blackbyte-exbyte-ransomware
- https://cloud.google.com/blog/topics/threat-intelligence/apt41-initiates-global-intrusion-campaign-using-multiple-exploits/
- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf
author: Liran Ravich
date: 2025-11-14
modified: 2026-03-23
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1036.005
- attack.t1055
- attack.t1055.012
logsource:
category: process_creation
product: windows
detection:
selection:
# Example of command to simulate: "C:\Windows\System32\svchost.exe" calc.exe
Image|endswith: '\svchost.exe'
filter_main_flags:
CommandLine|re: '-k\s\w{1,64}(?:\s?(?:-p|-s))?'
filter_main_empty:
CommandLine: ''
filter_main_null:
CommandLine: null
filter_optional_defender:
ParentImage|endswith: '\MsMpEng.exe'
CommandLine|contains: 'svchost.exe'
filter_optional_mrt:
ParentImage|endswith: '\MRT.exe'
CommandLine: 'svchost.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unlikely
level: high
related
high
Potential MsiExec Masquerading
Detects the execution of msiexec.exe from an uncommon directory
status test
author Florian Roth (Nextron Systems)
id e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144
license Sigma · DRL-1.1
view Sigma YAML
title: Potential MsiExec Masquerading
id: e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144
status: test
description: Detects the execution of msiexec.exe from an uncommon directory
references:
- https://twitter.com/200_okay_/status/1194765831911215104
author: Florian Roth (Nextron Systems)
date: 2019-11-14
modified: 2023-02-21
tags:
- attack.stealth
- attack.t1036.005
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\msiexec.exe'
- OriginalFileName: '\msiexec.exe'
filter:
Image|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
condition: selection and not filter
falsepositives:
- Unknown
level: high
related
high
Scheduled Task Creation Masquerading as System Processes
Detects the creation of scheduled tasks that involve system processes, which may indicate malicious actors masquerading as or abusing these processes to execute payloads or maintain persistence.
status experimental
author Swachchhanda Shrawan Poudel (Nextron Systems)
id 9f8573c9-22b4-40e3-89c1-72bc2b8d49ab
license Sigma · DRL-1.1
view Sigma YAML
title: Scheduled Task Creation Masquerading as System Processes
id: 9f8573c9-22b4-40e3-89c1-72bc2b8d49ab
status: experimental
description: Detects the creation of scheduled tasks that involve system processes, which may indicate malicious actors masquerading as or abusing these processes to execute payloads or maintain persistence.
references:
- https://tria.ge/241015-l98snsyeje/behavioral2
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-02-05
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.stealth
- attack.t1053.005
- attack.t1036.004
- attack.t1036.005
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_cli:
CommandLine|contains|windash: ' /create '
CommandLine|contains:
- ' audiodg'
- ' conhost'
- ' dwm.exe'
- ' explorer'
- ' lsass'
- ' lsm'
- ' mmc'
- ' msiexec'
- ' regsvr32'
- ' rundll32'
- ' services'
- ' spoolsv'
- ' svchost'
- ' taskeng'
- ' taskhost'
- ' wininit'
- ' winlogon'
condition: all of selection_*
falsepositives:
- Legitimate system administration tasks scheduling trusted system processes.
level: high
related
high
Flash Player Update from Suspicious Location
Detects a flashplayer update from an unofficial location
status test
author Florian Roth (Nextron Systems)
id 4922a5dd-6743-4fc2-8e81-144374280997
license Sigma · DRL-1.1
view Sigma YAML
title: Flash Player Update from Suspicious Location
id: 4922a5dd-6743-4fc2-8e81-144374280997
status: test
description: Detects a flashplayer update from an unofficial location
references:
- https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb
author: Florian Roth (Nextron Systems)
date: 2017-10-25
modified: 2022-08-08
tags:
- attack.initial-access
- attack.stealth
- attack.t1189
- attack.execution
- attack.t1204.002
- attack.t1036.005
logsource:
category: proxy
detection:
selection:
- c-uri|contains: '/flash_install.php'
- c-uri|endswith: '/install_flash_player.exe'
filter:
cs-host|endswith: '.adobe.com'
condition: selection and not filter
falsepositives:
- Unknown flash download locations
level: high
related
high
OpenCanary - TFTP Request
Detects instances where a TFTP service on an OpenCanary node has had a request.
status test
author Security Onion Solutions
id b4e6b016-a2ac-4759-ad85-8000b300d61e
license Sigma · DRL-1.1
view Sigma YAML
title: OpenCanary - TFTP Request
id: b4e6b016-a2ac-4759-ad85-8000b300d61e
status: test
description: Detects instances where a TFTP service on an OpenCanary node has had a request.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.exfiltration
- attack.t1041
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 10001
condition: selection
falsepositives:
- Unlikely
level: high
related
high
Remote Schedule Task Lateral Movement via ATSvc
Detects remote RPC calls to create or execute a scheduled task via ATSvc
status test
author Sagie Dulce, Dekel Paz
id 0fcd1c79-4eeb-4746-aba9-1b458f7a79cb
license Sigma · DRL-1.1
view Sigma YAML
title: Remote Schedule Task Lateral Movement via ATSvc
id: 0fcd1c79-4eeb-4746-aba9-1b458f7a79cb
status: test
description: Detects remote RPC calls to create or execute a scheduled task via ATSvc
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.privilege-escalation
- attack.lateral-movement
- attack.execution
- attack.persistence
- attack.t1053
- attack.t1053.002
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:1ff70682-0a51-30e8-076d-740be8cee98b"'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 1ff70682-0a51-30e8-076d-740be8cee98b
OpNum:
- 0
- 1
condition: selection
falsepositives:
- Unknown
level: high
related
high
Remote Schedule Task Lateral Movement via SASec
Detects remote RPC calls to create or execute a scheduled task via SASec
status test
author Sagie Dulce, Dekel Paz
id aff229ab-f8cd-447b-b215-084d11e79eb0
license Sigma · DRL-1.1
view Sigma YAML
title: Remote Schedule Task Lateral Movement via SASec
id: aff229ab-f8cd-447b-b215-084d11e79eb0
status: test
description: Detects remote RPC calls to create or execute a scheduled task via SASec
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.privilege-escalation
- attack.lateral-movement
- attack.execution
- attack.persistence
- attack.t1053
- attack.t1053.002
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:378e52b0-c0a9-11cf-822d-00aa0051e40f"'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 378e52b0-c0a9-11cf-822d-00aa0051e40f
OpNum:
- 0
- 1
condition: selection
falsepositives:
- Unknown
level: high
related
high
Remote Schedule Task Lateral Movement via ITaskSchedulerService
Detects remote RPC calls to create or execute a scheduled task
status test
author Sagie Dulce, Dekel Paz
id ace3ff54-e7fd-46bd-8ea0-74b49a0aca1d
license Sigma · DRL-1.1
view Sigma YAML
title: Remote Schedule Task Lateral Movement via ITaskSchedulerService
id: ace3ff54-e7fd-46bd-8ea0-74b49a0aca1d
status: test
description: Detects remote RPC calls to create or execute a scheduled task
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.lateral-movement
- attack.t1053
- attack.t1053.002
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:86d35949-83c9-4044-b424-db363231fd0c"'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 86d35949-83c9-4044-b424-db363231fd0c
OpNum:
- 1
- 3
- 4
- 10
- 11
- 12
- 13
- 14
- 15
condition: selection
falsepositives:
- Unknown
level: high
related
high
Suspicious Scheduled Task Write to System32 Tasks
Detects the creation of tasks from processes executed from suspicious locations
status test
author Florian Roth (Nextron Systems)
id 80e1f67a-4596-4351-98f5-a9c3efabac95
license Sigma · DRL-1.1
view Sigma YAML
title: Suspicious Scheduled Task Write to System32 Tasks
id: 80e1f67a-4596-4351-98f5-a9c3efabac95
status: test
description: Detects the creation of tasks from processes executed from suspicious locations
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2021-11-16
modified: 2022-01-12
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1053
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains: '\Windows\System32\Tasks'
Image|contains:
- '\AppData\'
- 'C:\PerfLogs'
- '\Windows\System32\config\systemprofile'
condition: selection
falsepositives:
- Unknown
level: high
related
high
HackTool - CrackMapExec Execution
This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.
status test
author Florian Roth (Nextron Systems)
id 42a993dd-bb3e-48c8-b372-4d6684c4106c
license Sigma · DRL-1.1
view Sigma YAML
title: HackTool - CrackMapExec Execution
id: 42a993dd-bb3e-48c8-b372-4d6684c4106c
status: test
description: This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.
references:
- https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local
- https://www.mandiant.com/resources/telegram-malware-iranian-espionage
- https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz
- https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject
author: Florian Roth (Nextron Systems)
date: 2022-02-25
modified: 2023-03-08
tags:
- attack.execution
- attack.persistence
- attack.privilege-escalation
- attack.credential-access
- attack.discovery
- attack.t1047
- attack.t1053
- attack.t1059.003
- attack.t1059.001
- attack.t1110
- attack.t1201
logsource:
category: process_creation
product: windows
detection:
selection_binary:
Image|endswith: '\crackmapexec.exe'
selection_special:
CommandLine|contains: ' -M pe_inject '
selection_execute:
CommandLine|contains|all:
- ' --local-auth'
- ' -u '
- ' -x '
selection_hash:
CommandLine|contains|all:
- ' --local-auth'
- ' -u '
- ' -p '
- " -H 'NTHASH'"
selection_module_mssql:
CommandLine|contains|all:
- ' mssql '
- ' -u '
- ' -p '
- ' -M '
- ' -d '
selection_module_smb1:
CommandLine|contains|all:
- ' smb '
- ' -u '
- ' -H '
- ' -M '
- ' -o '
selection_module_smb2:
CommandLine|contains|all:
- ' smb '
- ' -u '
- ' -p '
- ' --local-auth'
part_localauth_1:
CommandLine|contains|all:
- ' --local-auth'
- ' -u '
- ' -p '
part_localauth_2:
CommandLine|contains|all:
- ' 10.'
- ' 192.168.'
- '/24 '
condition: 1 of selection_* or all of part_localauth*
falsepositives:
- Unknown
level: high
related
high
HackTool - SharPersist Execution
Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms
status test
author Florian Roth (Nextron Systems)
id 26488ad0-f9fd-4536-876f-52fea846a2e4
license Sigma · DRL-1.1
view Sigma YAML
title: HackTool - SharPersist Execution
id: 26488ad0-f9fd-4536-876f-52fea846a2e4
status: test
description: Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms
references:
- https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit
- https://github.com/mandiant/SharPersist
author: Florian Roth (Nextron Systems)
date: 2022-09-15
modified: 2023-02-04
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\SharPersist.exe'
- Product: 'SharPersist'
selection_cli_1:
CommandLine|contains:
- ' -t schtask -c '
- ' -t startupfolder -c '
selection_cli_2:
CommandLine|contains|all:
- ' -t reg -c '
- ' -m add'
selection_cli_3:
CommandLine|contains|all:
- ' -t service -c '
- ' -m add'
selection_cli_4:
CommandLine|contains|all:
- ' -t schtask -c '
- ' -m add'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
related
high
HackTool - CrackMapExec Execution Patterns
Detects various execution patterns of the CrackMapExec pentesting framework
status stable
author Thomas Patzke
id 058f4380-962d-40a5-afce-50207d36d7e2
license Sigma · DRL-1.1
view Sigma YAML
title: HackTool - CrackMapExec Execution Patterns
id: 058f4380-962d-40a5-afce-50207d36d7e2
status: stable
description: Detects various execution patterns of the CrackMapExec pentesting framework
references:
- https://github.com/byt3bl33d3r/CrackMapExec
author: Thomas Patzke
date: 2020-05-22
modified: 2023-11-06
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1047
- attack.t1053
- attack.t1059.003
- attack.t1059.001
- attack.s0106
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
# cme/protocols/smb/wmiexec.py (generalized execute_remote and execute_fileless)
- 'cmd.exe /Q /c * 1> \\\\*\\*\\* 2>&1'
# cme/protocols/smb/atexec.py:109 (fileless output via share)
- 'cmd.exe /C * > \\\\*\\*\\* 2>&1'
# cme/protocols/smb/atexec.py:111 (fileless output via share)
- 'cmd.exe /C * > *\\Temp\\* 2>&1'
# https://github.com/byt3bl33d3r/CrackMapExec/blob/d8c50c8cbaf36c29329078662473f75e440978d2/cme/helpers/powershell.py#L136 (PowerShell execution with obfuscation)
- 'powershell.exe -exec bypass -noni -nop -w 1 -C "'
# https://github.com/byt3bl33d3r/CrackMapExec/blob/d8c50c8cbaf36c29329078662473f75e440978d2/cme/helpers/powershell.py#L160 (PowerShell execution without obfuscation)
- 'powershell.exe -noni -nop -w 1 -enc '
condition: selection
falsepositives:
- Unknown
level: high
related
high
Scheduled TaskCache Change by Uncommon Program
Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious
status test
author Syed Hasan (@syedhasan009)
id 4720b7df-40c3-48fd-bbdf-fd4b3c464f0d
license Sigma · DRL-1.1
view Sigma YAML
title: Scheduled TaskCache Change by Uncommon Program
id: 4720b7df-40c3-48fd-bbdf-fd4b3c464f0d
status: test
description: Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://labs.f-secure.com/blog/scheduled-task-tampering/
author: Syed Hasan (@syedhasan009)
date: 2021-06-18
modified: 2025-10-22
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053
- attack.t1053.005
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\'
filter_main_empty:
Details: '(Empty)'
filter_main_null:
Details: null
filter_main_other:
TargetObject|contains:
- 'Microsoft\Windows\UpdateOrchestrator'
- 'Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask\Index'
- 'Microsoft\Windows\Flighting\OneSettings\RefreshCache\Index'
filter_main_mousocoreworker:
Image|endswith: 'C:\Windows\System32\MoUsoCoreWorker.exe'
filter_main_services:
Image|endswith: 'C:\Windows\System32\services.exe'
filter_main_tiworker:
Image|startswith: 'C:\Windows\'
Image|endswith: '\TiWorker.exe'
filter_main_svchost:
Image: 'C:\WINDOWS\system32\svchost.exe'
filter_main_ngen:
Image|startswith: 'C:\Windows\Microsoft.NET\Framework' # \Framework\ and \Framework64\
Image|endswith: '\ngen.exe'
TargetObject|contains:
- '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B66B135D-DA06-4FC4-95F8-7458E1D10129}'
- '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\.NET Framework\.NET Framework NGEN'
filter_main_office:
Image:
- 'C:\Program Files\Microsoft Office\root\Integration\Integrator.exe'
- 'C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe'
- 'C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe'
- 'C:\Program Files (x86)\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe'
filter_main_msiexec:
Image: 'C:\Windows\System32\msiexec.exe'
filter_main_explorer:
Image: 'C:\Windows\explorer.exe'
TargetObject|contains: '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\PLA\Server Manager Performance Monitor\'
filter_main_system:
Image: 'System'
filter_main_runtimebroker:
Image: 'C:\Windows\System32\RuntimeBroker.exe'
filter_optional_dropbox_updater:
Image:
- 'C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe'
- 'C:\Program Files\Dropbox\Update\DropboxUpdate.exe'
filter_optional_edge:
Image|endswith:
- 'C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe'
- 'C:\Program Files\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe'
filter_optional_onedrive:
Image|endswith:
- 'C:\Program Files (x86)\Microsoft OneDrive\OneDrive.exe'
- 'C:\Program Files\Microsoft OneDrive\OneDrive.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
related
high
Renamed Schtasks Execution
Detects the execution of renamed schtasks.exe binary, which is a legitimate Windows utility used for scheduling tasks.
One of the very common persistence techniques is schedule malicious tasks using schtasks.exe.
Since, it is heavily abused, it is also heavily monitored by security products. To evade detection, threat actors may rename the schtasks.exe binary to schedule their malicious tasks.
status experimental
author Swachchhanda Shrawan Poudel (Nextron Systems)
id f91e51c9-f344-4b32-969b-0b6f6b8537d4
license Sigma · DRL-1.1
view Sigma YAML
title: Renamed Schtasks Execution
id: f91e51c9-f344-4b32-969b-0b6f6b8537d4
status: experimental
description: |
Detects the execution of renamed schtasks.exe binary, which is a legitimate Windows utility used for scheduling tasks.
One of the very common persistence techniques is schedule malicious tasks using schtasks.exe.
Since, it is heavily abused, it is also heavily monitored by security products. To evade detection, threat actors may rename the schtasks.exe binary to schedule their malicious tasks.
references:
- https://x.com/JangPr0/status/1932034543026065833
- https://ss64.com/nt/schtasks.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-27
tags:
- attack.execution
- attack.persistence
- attack.privilege-escalation
- attack.stealth
- attack.t1036.003
- attack.t1053.005
logsource:
category: process_creation
product: windows
detection:
selection_cmd_operation:
CommandLine|contains|windash:
- ' /create '
- ' /delete '
- ' /query '
- ' /change '
- ' /run '
- ' /end '
selection_cmd_flags:
CommandLine|contains|windash:
- ' /tn '
- ' /tr '
- ' /sc '
- ' /st '
- ' /ru '
- ' /fo '
selection_pe:
OriginalFileName: 'schtasks.exe'
filter_main_cmd:
CommandLine|contains: 'schtasks'
filter_main_img:
Image|endswith: '\schtasks.exe'
condition: (all of selection_cmd_* and not filter_main_cmd) or (selection_pe and not filter_main_img)
falsepositives:
- Unlikely
level: high
related
high
Schtasks Creation Or Modification With SYSTEM Privileges
Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges
status test
author Nasreddine Bencherchali (Nextron Systems)
id 89ca78fd-b37c-4310-b3d3-81a023f83936
license Sigma · DRL-1.1
view Sigma YAML
title: Schtasks Creation Or Modification With SYSTEM Privileges
id: 89ca78fd-b37c-4310-b3d3-81a023f83936
status: test
description: Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges
references:
- https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-28
modified: 2025-02-15
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
selection_root:
Image|endswith: '\schtasks.exe'
CommandLine|contains:
- ' /change '
- ' /create '
selection_run:
CommandLine|contains: '/ru '
selection_user:
CommandLine|contains:
- 'NT AUT' # This covers the usual NT AUTHORITY\SYSTEM
- ' SYSTEM ' # SYSTEM is a valid value for schtasks hence it gets it's own value with space
filter_optional_teamviewer:
# FP from test set in SIGMA
# Cannot use ParentImage on all OSes for 4688 events
# ParentImage|contains|all:
# - '\AppData\Local\Temp\'
# - 'TeamViewer_.exe'
Image|endswith: '\schtasks.exe'
CommandLine|contains|all:
- '/TN TVInstallRestore'
- '\TeamViewer_.exe'
filter_optional_office:
CommandLine|contains|all:
# https://answers.microsoft.com/en-us/msoffice/forum/all/office-15-subscription-heartbeat-task-created-on/43ab5e53-a9fb-47c6-8c14-44889974b9ff
- 'Subscription Heartbeat'
- '\HeartbeatConfig.xml'
- '\Microsoft Shared\OFFICE'
filter_optional_avira:
CommandLine|contains:
- '/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR '
- ':\Program Files (x86)\Avira\System Speedup\setup\avira_speedup_setup.exe'
- '/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART" /RL HIGHEST'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
related
high
Suspicious Scheduled Task Creation Involving Temp Folder
Detects the creation of scheduled tasks that involves a temporary folder and runs only once
status test
author Florian Roth (Nextron Systems)
id 39019a4e-317f-4ce3-ae63-309a8c6b53c5
license Sigma · DRL-1.1
view Sigma YAML
title: Suspicious Scheduled Task Creation Involving Temp Folder
id: 39019a4e-317f-4ce3-ae63-309a8c6b53c5
status: test
description: Detects the creation of scheduled tasks that involves a temporary folder and runs only once
references:
- https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3
author: Florian Roth (Nextron Systems)
date: 2021-03-11
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\schtasks.exe'
CommandLine|contains|all:
- ' /create '
- ' /sc once '
- '\Temp\'
condition: selection
falsepositives:
- Administrative activity
- Software installation
level: high
related
high
Scheduled Task Executing Encoded Payload from Registry
Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell.
status test
author pH-T (Nextron Systems), @Kostastsale, TheDFIRReport, X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
id c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78
license Sigma · DRL-1.1
view Sigma YAML
title: Scheduled Task Executing Encoded Payload from Registry
id: c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78
status: test
description: Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell.
references:
- https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
author: pH-T (Nextron Systems), @Kostastsale, TheDFIRReport, X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-02-12
modified: 2023-02-04
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
- attack.t1059.001
logsource:
product: windows
category: process_creation
detection:
selection_img:
# schtasks.exe /Create /F /TN "{97F2F70B-10D1-4447-A2F3-9B070C86E261}" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\SOFTWARE\Pvoeooxf).yzbbvhhdypa))) " /SC MINUTE /MO 30
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_cli_create:
CommandLine|contains: '/Create'
selection_cli_encoding:
CommandLine|contains:
- 'FromBase64String'
- 'encodedcommand'
selection_cli_get:
CommandLine|contains:
- 'Get-ItemProperty'
- ' gp ' # Alias
selection_cli_hive:
CommandLine|contains:
- 'HKCU:'
- 'HKLM:'
- 'registry::'
- 'HKEY_'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
related
high
Potential Persistence Via Powershell Search Order Hijacking - Task
Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader
status test
author pH-T (Nextron Systems), Florian Roth (Nextron Systems)
id b66474aa-bd92-4333-a16c-298155b120df
license Sigma · DRL-1.1
view Sigma YAML
title: Potential Persistence Via Powershell Search Order Hijacking - Task
id: b66474aa-bd92-4333-a16c-298155b120df
related:
- id: 6e8811ee-90ba-441e-8486-5653e68b2299
type: similar
status: test
description: Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader
references:
- https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/
author: pH-T (Nextron Systems), Florian Roth (Nextron Systems)
date: 2022-04-08
modified: 2023-02-03
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
- attack.t1059.001
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage: 'C:\WINDOWS\System32\svchost.exe'
ParentCommandLine|contains|all:
- '-k netsvcs'
- '-s Schedule'
CommandLine|endswith:
- ' -windowstyle hidden'
- ' -w hidden'
- ' -ep bypass'
- ' -noni'
condition: selection
falsepositives:
- Unknown
level: high
related
high
Uncommon One Time Only Scheduled Task At 00:00
Detects scheduled task creation events that include suspicious actions, and is run once at 00:00
status test
author pH-T (Nextron Systems)
id 970823b7-273b-460a-8afc-3a6811998529
license Sigma · DRL-1.1
view Sigma YAML
title: Uncommon One Time Only Scheduled Task At 00:00
id: 970823b7-273b-460a-8afc-3a6811998529
status: test
description: Detects scheduled task creation events that include suspicious actions, and is run once at 00:00
references:
- https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte
author: pH-T (Nextron Systems)
date: 2022-07-15
modified: 2023-02-03
tags:
- attack.execution
- attack.persistence
- attack.privilege-escalation
- attack.t1053.005
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|contains: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_cli:
CommandLine|contains:
- 'wscript'
- 'vbscript'
- 'cscript'
- 'wmic '
- 'wmic.exe'
- 'regsvr32.exe'
- 'powershell'
- '\AppData\'
selection_time:
CommandLine|contains|all:
- 'once'
- '00:00'
condition: all of selection_*
falsepositives:
- Software installation
level: high
related
high
Schtasks From Suspicious Folders
Detects scheduled task creations that have suspicious action command and folder combinations
status test
author Florian Roth (Nextron Systems)
id 8a8379b8-780b-4dbf-b1e9-31c8d112fefb
license Sigma · DRL-1.1
view Sigma YAML
title: Schtasks From Suspicious Folders
id: 8a8379b8-780b-4dbf-b1e9-31c8d112fefb
status: test
description: Detects scheduled task creations that have suspicious action command and folder combinations
references:
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical
author: Florian Roth (Nextron Systems)
date: 2022-04-15
modified: 2022-11-18
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_create:
CommandLine|contains: ' /create '
selection_command:
CommandLine|contains:
- 'powershell'
- 'pwsh'
- 'cmd /c '
- 'cmd /k '
- 'cmd /r '
- 'cmd.exe /c '
- 'cmd.exe /k '
- 'cmd.exe /r '
selection_all_folders:
CommandLine|contains:
- 'C:\ProgramData\'
- '%ProgramData%'
condition: all of selection_*
falsepositives:
- Unknown
level: high
related
high
Suspicious Schtasks Execution AppData Folder
Detects the creation of a schtask that executes a file from C:\Users\<USER>\AppData\Local
status test
author pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
id c5c00f49-b3f9-45a6-997e-cfdecc6e1967
license Sigma · DRL-1.1
view Sigma YAML
title: Suspicious Schtasks Execution AppData Folder
id: c5c00f49-b3f9-45a6-997e-cfdecc6e1967
status: test
description: 'Detects the creation of a schtask that executes a file from C:\Users\<USER>\AppData\Local'
references:
- https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-03-15
modified: 2022-07-28
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
- attack.t1059.001
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\schtasks.exe'
CommandLine|contains|all:
- '/Create'
- '/RU'
- '/TR'
- 'C:\Users\'
- '\AppData\Local\'
CommandLine|contains:
- 'NT AUT' # This covers the usual NT AUTHORITY\SYSTEM
- ' SYSTEM ' # SYSTEM is a valid value for schtasks hence it gets it's own value with space
filter:
# FP from test set in SIGMA
ParentImage|contains|all:
- '\AppData\Local\Temp\'
- 'TeamViewer_.exe'
Image|endswith: '\schtasks.exe'
CommandLine|contains: '/TN TVInstallRestore'
condition: selection and not filter
falsepositives:
- Unknown
level: high
related
high
Suspicious Schtasks Schedule Types
Detects scheduled task creations or modification on a suspicious schedule type
status test
author Nasreddine Bencherchali (Nextron Systems)
id 24c8392b-aa3c-46b7-a545-43f71657fe98
license Sigma · DRL-1.1
view Sigma YAML
title: Suspicious Schtasks Schedule Types
id: 24c8392b-aa3c-46b7-a545-43f71657fe98
related:
- id: 7a02e22e-b885-4404-b38b-1ddc7e65258a
type: similar
status: test
description: Detects scheduled task creations or modification on a suspicious schedule type
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create
- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-09
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_time:
CommandLine|contains:
- ' ONLOGON '
- ' ONSTART '
- ' ONCE '
- ' ONIDLE '
filter_privs:
CommandLine|contains:
- 'NT AUT' # This covers the usual NT AUTHORITY\SYSTEM
- ' SYSTEM' # SYSTEM is a valid value for schtasks hence it gets it's own value with space
- 'HIGHEST'
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Legitimate processes that run at logon. Filter according to your environment
level: high
related
high
Potential SSH Tunnel Persistence Install Using A Scheduled Task
Detects the creation of new scheduled tasks via commandline, using Schtasks.exe. This rule detects tasks creating that call OpenSSH, which may indicate the creation of reverse SSH tunnel to the attacker's server.
status experimental
author Rory Duncan
id 2daa93a0-a5fb-41c5-8cd8-3c11294bfd1f
license Sigma · DRL-1.1
view Sigma YAML
title: Potential SSH Tunnel Persistence Install Using A Scheduled Task
id: 2daa93a0-a5fb-41c5-8cd8-3c11294bfd1f
status: experimental
description: Detects the creation of new scheduled tasks via commandline, using Schtasks.exe. This rule detects tasks creating that call OpenSSH, which may indicate the creation of reverse SSH tunnel to the attacker's server.
references:
- https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
- https://www.kroll.com/en/insights/publications/cyber/cactus-ransomware-prickly-new-variant-evades-detection
author: Rory Duncan
date: 2025-07-14
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1053.005
- attack.command-and-control
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_cli_sshd:
CommandLine|contains|all:
- ' /create '
- 'sshd.exe'
- '-f'
selection_cli_ssh:
CommandLine|contains|all:
- ' /create '
- 'ssh.exe'
- '-i'
condition: selection_img and 1 of selection_cli_*
falsepositives:
- Unknown
level: high
related
high
HackTool - Default PowerSploit/Empire Scheduled Task Creation
Detects the creation of a schtask via PowerSploit or Empire Default Configuration.
status test
author Markus Neis, @Karneades
id 56c217c3-2de2-479b-990f-5c109ba8458f
license Sigma · DRL-1.1
view Sigma YAML
title: HackTool - Default PowerSploit/Empire Scheduled Task Creation
id: 56c217c3-2de2-479b-990f-5c109ba8458f
status: test
description: Detects the creation of a schtask via PowerSploit or Empire Default Configuration.
references:
- https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1
- https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py
author: Markus Neis, @Karneades
date: 2018-03-06
modified: 2023-03-03
tags:
- attack.execution
- attack.persistence
- attack.privilege-escalation
- attack.s0111
- attack.g0022
- attack.g0060
- car.2013-08-001
- attack.t1053.005
- attack.t1059.001
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith:
- '\powershell.exe'
- '\pwsh.exe'
Image|endswith: '\schtasks.exe'
CommandLine|contains|all:
- '/Create'
- 'powershell.exe -NonI'
- '/TN Updater /TR'
CommandLine|contains:
- '/SC ONLOGON'
- '/SC DAILY /ST'
- '/SC ONIDLE'
- '/SC HOURLY'
condition: selection
falsepositives:
- Unlikely
level: high
related
high
Suspicious Command Patterns In Scheduled Task Creation
Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands
status test
author Florian Roth (Nextron Systems)
id f2c64357-b1d2-41b7-849f-34d2682c0fad
license Sigma · DRL-1.1
view Sigma YAML
title: Suspicious Command Patterns In Scheduled Task Creation
id: f2c64357-b1d2-41b7-849f-34d2682c0fad
status: test
description: Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands
references:
- https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/
- https://twitter.com/RedDrip7/status/1506480588827467785
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf
author: Florian Roth (Nextron Systems)
date: 2022-02-23
modified: 2024-03-19
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
selection_schtasks:
Image|endswith: '\schtasks.exe'
CommandLine|contains: '/Create '
selection_pattern_1:
CommandLine|contains:
- '/sc minute '
- '/ru system '
selection_pattern_2:
CommandLine|contains:
- 'cmd /c'
- 'cmd /k'
- 'cmd /r'
- 'cmd.exe /c '
- 'cmd.exe /k '
- 'cmd.exe /r '
selection_uncommon:
CommandLine|contains:
- ' -decode '
- ' -enc '
- ' -w hidden '
- ' bypass '
- ' IEX'
- '.DownloadData'
- '.DownloadFile'
- '.DownloadString'
- '/c start /min ' # https://twitter.com/RedDrip7/status/1506480588827467785
- 'FromBase64String'
- 'mshta http'
- 'mshta.exe http'
selection_anomaly_1:
CommandLine|contains:
- ':\ProgramData\'
- ':\Temp\'
- ':\Tmp\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\AppData\'
- '%AppData%'
- '%Temp%'
- '%tmp%'
selection_anomaly_2:
CommandLine|contains:
- 'cscript'
- 'curl'
- 'wscript'
condition: selection_schtasks and ( all of selection_pattern_* or selection_uncommon or all of selection_anomaly_* )
falsepositives:
- Software installers that run from temporary folders and also install scheduled tasks are expected to generate some false positives
level: high
related
high
Suspicious Modification Of Scheduled Tasks
Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location
Attackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on
Instead they modify the task after creation to include their malicious payload
status test
author Nasreddine Bencherchali (Nextron Systems)
id 1c0e41cd-21bb-4433-9acc-4a2cd6367b9b
license Sigma · DRL-1.1
view Sigma YAML
title: Suspicious Modification Of Scheduled Tasks
id: 1c0e41cd-21bb-4433-9acc-4a2cd6367b9b
related:
- id: 614cf376-6651-47c4-9dcc-6b9527f749f4 # Security-Audting Eventlog
type: similar
status: test
description: |
Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location
Attackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on
Instead they modify the task after creation to include their malicious payload
references:
- Internal Research
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-28
modified: 2022-11-18
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
selection_schtasks:
Image|endswith: '\schtasks.exe'
CommandLine|contains|all:
- ' /Change '
- ' /TN '
selection_susp_locations:
CommandLine|contains:
- '\AppData\Local\Temp'
- '\AppData\Roaming\'
- '\Users\Public\'
- '\WINDOWS\Temp\'
- '\Desktop\'
- '\Downloads\'
- '\Temporary Internet'
- 'C:\ProgramData\'
- 'C:\Perflogs\'
- '%ProgramData%'
- '%appdata%'
- '%comspec%'
- '%localappdata%'
selection_susp_images:
CommandLine|contains:
- 'regsvr32'
- 'rundll32'
- 'cmd /c '
- 'cmd /k '
- 'cmd /r '
- 'cmd.exe /c '
- 'cmd.exe /k '
- 'cmd.exe /r '
- 'powershell'
- 'mshta'
- 'wscript'
- 'cscript'
- 'certutil'
- 'bitsadmin'
- 'bash.exe'
- 'bash '
- 'scrcons'
- 'wmic '
- 'wmic.exe'
- 'forfiles'
- 'scriptrunner'
- 'hh.exe'
- 'hh '
condition: all of selection_*
falsepositives:
- Unknown
level: high
related
high
Suspicious Scheduled Task Creation
Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.
status test
author Nasreddine Bencherchali (Nextron Systems)
id 3a734d25-df5c-4b99-8034-af1ddb5883a4
license Sigma · DRL-1.1
view Sigma YAML
title: Suspicious Scheduled Task Creation
id: 3a734d25-df5c-4b99-8034-af1ddb5883a4
status: test
description: Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-05
modified: 2022-12-07
tags:
- attack.execution
- attack.privilege-escalation
- attack.persistence
- attack.t1053.005
logsource:
product: windows
service: security
definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.'
detection:
selection_eid:
EventID: 4698
selection_paths:
TaskContent|contains:
- '\AppData\Local\Temp\'
- '\AppData\Roaming\'
- '\Users\Public\'
- '\WINDOWS\Temp\'
- 'C:\Temp\'
- '\Desktop\'
- '\Downloads\'
- '\Temporary Internet'
- 'C:\ProgramData\'
- 'C:\Perflogs\'
selection_commands:
TaskContent|contains:
- 'regsvr32'
- 'rundll32'
- 'cmd.exe</Command>'
- 'cmd</Command>'
- '<Arguments>/c '
- '<Arguments>/k '
- '<Arguments>/r '
- 'powershell'
- 'pwsh'
- 'mshta'
- 'wscript'
- 'cscript'
- 'certutil'
- 'bitsadmin'
- 'bash.exe'
- 'bash '
- 'scrcons'
- 'wmic '
- 'wmic.exe'
- 'forfiles'
- 'scriptrunner'
- 'hh.exe'
condition: all of selection_*
falsepositives:
- Unknown
level: high
related
high
Persistence and Execution at Scale via GPO Scheduled Task
Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale
status test
author Samir Bousseaden
id a8f29a7b-b137-4446-80a0-b804272f3da2
license Sigma · DRL-1.1
view Sigma YAML
title: Persistence and Execution at Scale via GPO Scheduled Task
id: a8f29a7b-b137-4446-80a0-b804272f3da2
status: test
description: Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale
references:
- https://twitter.com/menasec1/status/1106899890377052160
- https://www.secureworks.com/blog/ransomware-as-a-distraction
- https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-0-16-1-scheduled-task-execution-at-scale-via-gpo.html
author: Samir Bousseaden
date: 2019-04-03
modified: 2024-09-04
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.lateral-movement
- attack.t1053.005
logsource:
product: windows
service: security
definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection_5136:
EventID: 5136
AttributeLDAPDisplayName:
- 'gPCMachineExtensionNames'
- 'gPCUserExtensionNames'
AttributeValue|contains:
- 'CAB54552-DEEA-4691-817E-ED4A4D1AFC72'
- 'AADCED64-746C-4633-A97C-D61349046527'
selection_5145:
EventID: 5145
ShareName|endswith: '\SYSVOL' # looking for the string \\*\SYSVOL
RelativeTargetName|endswith: 'ScheduledTasks.xml'
AccessList|contains:
- 'WriteData'
- '%%4417'
condition: 1 of selection_*
falsepositives:
- If the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduled tasks.
level: high
related
high
Suspicious Scheduled Task Update
Detects update to a scheduled task event that contain suspicious keywords.
status test
author Nasreddine Bencherchali (Nextron Systems)
id 614cf376-6651-47c4-9dcc-6b9527f749f4
license Sigma · DRL-1.1
view Sigma YAML
title: Suspicious Scheduled Task Update
id: 614cf376-6651-47c4-9dcc-6b9527f749f4
related:
- id: 1c0e41cd-21bb-4433-9acc-4a2cd6367b9b # ProcCreation schtasks change
type: similar
status: test
description: Detects update to a scheduled task event that contain suspicious keywords.
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-05
tags:
- attack.execution
- attack.privilege-escalation
- attack.persistence
- attack.t1053.005
logsource:
product: windows
service: security
definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.'
detection:
selection_eid:
EventID: 4702
selection_paths:
TaskContentNew|contains:
- '\AppData\Local\Temp\'
- '\AppData\Roaming\'
- '\Users\Public\'
- '\WINDOWS\Temp\'
- 'C:\Temp\'
- '\Desktop\'
- '\Downloads\'
- '\Temporary Internet'
- 'C:\ProgramData\'
- 'C:\Perflogs\'
selection_commands:
TaskContentNew|contains:
- 'regsvr32'
- 'rundll32'
- 'cmd.exe</Command>'
- 'cmd</Command>'
- '<Arguments>/c '
- '<Arguments>/k '
- '<Arguments>/r '
- 'powershell'
- 'pwsh'
- 'mshta'
- 'wscript'
- 'cscript'
- 'certutil'
- 'bitsadmin'
- 'bash.exe'
- 'bash '
- 'scrcons'
- 'wmic '
- 'wmic.exe'
- 'forfiles'
- 'scriptrunner'
- 'hh.exe'
condition: all of selection_*
falsepositives:
- Unknown
level: high