Scheduled Task Creation Potentially Masquerading as System Processes

Last updated on:

About the rule

Rule Type

Standard

Rule Description

Detects the creation of scheduled tasks that involve system processes, which may indicate malicious actors masquerading as or abusing these processes to execute payloads or maintain persistence.

Severity

Trouble

Rule Requirement

Criteria

Action1: actionname = "Process started" AND ( PROCESSNAME endswith "\schtasks.exe" OR ORIGINALFILENAME = "schtasks.exe" ) AND ( COMMANDLINE contains "audiodg,conhost,dwm.exe,explorer,lsass,lsm,mmc,msiexec,regsvr32,rundll32,services,spoolsv,svchost,taskeng,taskhost,wininit,winlogon" ) select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME,Action1.DOMAIN,Action1.ORIGINALFILENAME,Action1.PARENTPROCESSID,Action1.PROCESSID,Action1.PRODUCT_NAME,Action1.SECURITYID

Detection

Execution Mode

realtime

Log Sources

Windows

Author

@Swachchhanda Shrawan Poudel (Nextron Systems)