Scheduled Task Creation Potentially Masquerading as System Processes
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects the creation of scheduled tasks that involve system processes, which may indicate malicious actors masquerading as or abusing these processes to execute payloads or maintain persistence.
Severity
Trouble
Rule Requirement
Criteria
Action1:
actionname = "Process started" AND ( PROCESSNAME endswith "\schtasks.exe" OR ORIGINALFILENAME = "schtasks.exe" ) AND ( COMMANDLINE contains "audiodg,conhost,dwm.exe,explorer,lsass,lsm,mmc,msiexec,regsvr32,rundll32,services,spoolsv,svchost,taskeng,taskhost,wininit,winlogon" )
select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME,Action1.DOMAIN,Action1.ORIGINALFILENAME,Action1.PARENTPROCESSID,Action1.PROCESSID,Action1.PRODUCT_NAME,Action1.SECURITYID
Detection
Execution Mode
realtime
Log Sources
Windows
Author
@Swachchhanda Shrawan Poudel (Nextron Systems)


