SigmaHQ/rules/windows/builtin/win_rare_schtasks_creations.yml

title: Rare Schtasks Creations
id: b0d77106-7bb0-41fe-bd94-d1752164d066
description: Detects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code
status: experimental
author: Florian Roth
date: 2017/03/23
tags:
    - attack.execution
    - attack.privilege_escalation
    - attack.persistence
    - attack.t1053
    - car.2013-08-001
logsource:
    product: windows
    service: security
    definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection (not in the baseline recommendations by Microsoft). We also recommend extracting the Command field from the embedded XML in the event data.'
detection:
    selection:
        EventID: 4698
    timeframe: 7d
    condition: selection | count() by TaskName < 5
falsepositives:
    - Software installation
    - Software updates
level: low
Massive Title Cleanup 2018-01-27 09:57:30 +00:00			`title: Rare Schtasks Creations`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: b0d77106-7bb0-41fe-bd94-d1752164d066`
newline in description - typo 2020-03-14 18:58:58 +00:00			`description: Detects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code`
Rule: Rare scheduled tasks creations 2017-03-23 10:45:10 +00:00			`status: experimental`
			`author: Florian Roth`
fix: fixed missing date fields in remaining files 2020-01-30 15:07:37 +00:00			`date: 2017/03/23`
Add tags to windows builtin rules 2018-07-24 05:50:32 +00:00			`tags:`
			`- attack.execution`
			`- attack.privilege_escalation`
			`- attack.persistence`
			`- attack.t1053`
First Pass 2019-06-14 04:15:38 +00:00			`- car.2013-08-001`
Rule: Rare scheduled tasks creations 2017-03-23 10:45:10 +00:00			`logsource:`
			`product: windows`
			`service: security`
Replace "logsource: description" with "definition" to match the specs 2018-11-15 06:00:06 +00:00			`definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection (not in the baseline recommendations by Microsoft). We also recommend extracting the Command field from the embedded XML in the event data.'`
Rule: Rare scheduled tasks creations 2017-03-23 10:45:10 +00:00			`detection:`
			`selection:`
Bugfix: Wrong Event ID and extended description 2017-03-23 10:50:30 +00:00			`EventID: 4698`
Rule: Rare scheduled tasks creations 2017-03-23 10:45:10 +00:00			`timeframe: 7d`
fix: fixed missing date fields in remaining files 2020-01-30 15:07:37 +00:00			`condition: selection \| count() by TaskName < 5`
			`falsepositives:`
Rule: Rare scheduled tasks creations 2017-03-23 10:45:10 +00:00			`- Software installation`
			`- Software updates`
			`level: low`