Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware
Severity
Trouble
Rule Requirement
Criteria
Action1: actionname = "Process started" AND (((PROCESSNAME endswith "\schtasks.exe" AND COMMANDLINE contains " /create ") AND COMMANDLINE contains ":\Perflogs,:\Users\All Users\,:\Users\Default\,:\Users\Public,:\Windows\Temp,\AppData\Local\,\AppData\Roaming\,%AppData%,%Public%") OR (PARENTPROCESSCOMMANDLINE endswith "\svchost.exe -k netsvcs -p -s Schedule" AND COMMANDLINE contains ":\Perflogs,:\Windows\Temp,\Users\Public,%Public%")) AND ((PARENTPROCESSCOMMANDLINE notcontains "unattended.ini" AND COMMANDLINE notcontains "update_task.xml") AND COMMANDLINE notcontains "/Create /TN TVInstallRestore /TR" AND (COMMANDLINE notcontains "/Create /Xml "C:\Users" OR COMMANDLINE notcontains "\AppData\Local\Temp\.CR." OR COMMANDLINE notcontains "Avira_Security_Installation.xml") AND ((COMMANDLINE notcontains "/Create /F /TN" OR COMMANDLINE notcontains "/Xml " OR COMMANDLINE notcontains "\AppData\Local\Temp\is-" OR COMMANDLINE notcontains "Avira_") OR COMMANDLINE notcontains ".tmp\UpdateFallbackTask.xml,.tmp\WatchdogServiceControlManagerTimeout.xml,.tmp\SystrayAutostart.xml,.tmp\MaintenanceTask.xml") AND (COMMANDLINE notcontains "\AppData\Local\Temp" OR COMMANDLINE notcontains "/Create /TN "klcp_update" /XML " OR COMMANDLINE notcontains "\klcp_update_task.xml")) select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Windows
Author
Florian Roth (Nextron Systems)
