SigmaHQ/rules/windows/sysmon/sysmon_powersploit_schtasks.yml

title: Default PowerSploit Schtasks Persistence 
status: experimental
description: Detects the creation of a schtask via PowerSploit Default Configuration 
references:
    - https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1
author: Markus Neis
date: 2018/03/06
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        ParentImage:
            - '*\Powershell.exe'
        CommandLine:
            - '*\schtasks.exe*/Create*/RU*system*/SC*ONLOGON*'
            - '*\schtasks.exe*/Create*/RU*system*/SC*DAILY*'
            - '*\schtasks.exe*/Create*/RU*system*/SC*ONIDLE*'
            - '*\schtasks.exe*/Create*/RU*system*/SC*HOURLY*'
    condition: selection
tags:
    - attack.execution
    - attack.persistence
    - attack.privilege_escalation
    - attack.t1053
    - attack.t1086
    - attack.s0111
    - attack.g0022
    - attack.g0060
falsepositives:
    - False positives are possible, depends on organisation and processes
level: high
Detects the creation of a schtask via PowerSploit Default Configuration https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1 2018-06-23 13:45:58 +00:00			`title: Default PowerSploit Schtasks Persistence`
			`status: experimental`
			`description: Detects the creation of a schtask via PowerSploit Default Configuration`
			`references:`
			`- https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1`
			`author: Markus Neis`
			`date: 2018/03/06`
			`logsource:`
			`product: windows`
			`service: sysmon`
			`detection:`
			`selection:`
			`ParentImage:`
			`- '*\Powershell.exe'`
			`CommandLine:`
			`- '\schtasks.exe/Create/RUsystem/SCONLOGON*'`
Added additional options 2018-06-23 13:54:31 +00:00			`- '\schtasks.exe/Create/RUsystem/SCDAILY*'`
			`- '\schtasks.exe/Create/RUsystem/SCONIDLE*'`
			`- '\schtasks.exe/Create/RUsystem/SCHOURLY*'`
Detects the creation of a schtask via PowerSploit Default Configuration https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1 2018-06-23 13:45:58 +00:00			`condition: selection`
ATT&CK tagging of Default PowerSploit Schtasks Persistence 2018-07-22 12:53:56 +00:00			`tags:`
			`- attack.execution`
			`- attack.persistence`
Correct MITRE tag 2019-01-22 18:26:07 +00:00			`- attack.privilege_escalation`
ATT&CK tagging of Default PowerSploit Schtasks Persistence 2018-07-22 12:53:56 +00:00			`- attack.t1053`
Update sysmon_powersploit_schtasks.yml 2018-10-10 00:10:37 +00:00			`- attack.t1086`
ATT&CK tagging of Default PowerSploit Schtasks Persistence 2018-07-22 12:53:56 +00:00			`- attack.s0111`
			`- attack.g0022`
			`- attack.g0060`
Detects the creation of a schtask via PowerSploit Default Configuration https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1 2018-06-23 13:45:58 +00:00			`falsepositives:`
			`- False positives are possible, depends on organisation and processes`
			`level: high`