title: Default PowerSploit and Empire Schtasks Persistence
id: 56c217c3-2de2-479b-990f-5c109ba8458f
status: experimental
description: Detects the creation of a schtask via PowerSploit or Empire Default Configuration.
references:
    - https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1
    - https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/userland/schtasks.py
    - https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/elevated/schtasks.py
author: Markus Neis, @Karneades
date: 2018/03/06
logsource:
    product: windows
    category: process_creation
detection:
    selection1:
        ParentImage|endswith: '\powershell.exe'
        Image|endswith: '\schtasks.exe'
        CommandLine|contains|all:
            - '/Create'
            - '/SC'
    selection2:
        CommandLine|contains:
            - 'ONLOGON'
            - 'DAILY'
            - 'ONIDLE'
            - 'Updater'
        CommandLine|contains|all:
            - '/TN'
            - 'Updater'
            - '/TR'
            - 'powershell'
    condition: selection1 and selection2
tags:
    - attack.execution
    - attack.persistence
    - attack.privilege_escalation
    - attack.t1053 # an old one
    - attack.t1086 # an old one
    - attack.s0111
    - attack.g0022
    - attack.g0060
    - car.2013-08-001
    - attack.t1053.005
    - attack.t1059.001
falsepositives:
    - False positives are possible, depends on organisation and processes
level: high