SigmaHQ/rules/windows/other/win_rare_schtask_creation.yml

title: Rare Scheduled Task Creations
id: b20f6158-9438-41be-83da-a5a16ac90c2b
status: experimental
description: This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names.
tags:
    - attack.persistence
    - attack.t1053           # an old one
    - attack.s0111
    - attack.t1053.005
author: Florian Roth
date: 2017/03/17
logsource:
    product: windows
    service: taskscheduler
detection:
    selection:
        EventID: 106
    timeframe: 7d
    condition: selection | count() by TaskName < 5
falsepositives:
    - Software installation
level: low
Rule: Rare scheduled task installs 2017-03-17 07:41:27 +00:00			`title: Rare Scheduled Task Creations`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: b20f6158-9438-41be-83da-a5a16ac90c2b`
Rule: Rare scheduled task installs 2017-03-17 07:41:27 +00:00			`status: experimental`
Initial round of subtechnique updates 2020-06-16 20:46:08 +00:00			`description: This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names.`
Tagged windows powershell, other and malware rules. 2018-07-24 08:56:41 +00:00			`tags:`
Added missing tags and some minor improvements 2019-03-05 22:25:49 +00:00			`- attack.persistence`
att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other 2020-08-24 23:09:17 +00:00			`- attack.t1053 # an old one`
Tagged windows powershell, other and malware rules. 2018-07-24 08:56:41 +00:00			`- attack.s0111`
Initial round of subtechnique updates 2020-06-16 20:46:08 +00:00			`- attack.t1053.005`
Rule: Rare scheduled task installs 2017-03-17 07:41:27 +00:00			`author: Florian Roth`
fix: fixed missing date fields in remaining files 2020-01-30 15:07:37 +00:00			`date: 2017/03/17`
Rule: Rare scheduled task installs 2017-03-17 07:41:27 +00:00			`logsource:`
			`product: windows`
Bugfix: Taskscheduler log source definition 2017-03-17 15:09:31 +00:00			`service: taskscheduler`
Rule: Rare scheduled task installs 2017-03-17 07:41:27 +00:00			`detection:`
			`selection:`
			`EventID: 106`
			`timeframe: 7d`
fix: fixed missing date fields in remaining files 2020-01-30 15:07:37 +00:00			`condition: selection \| count() by TaskName < 5`
Rule: Rare scheduled task installs 2017-03-17 07:41:27 +00:00			`falsepositives:`
			`- Software installation`
			`level: low`