SigmaHQ/rules/windows/builtin/win_rare_schtasks_creations.yml

23 lines
895 B
YAML

title: Rare Schtasks Creations
description: Detects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code
status: experimental
author: Florian Roth
tags:
- attack.execution
- attack.privilege_escalation
- attack.persistence
- attack.t1053
logsource:
product: windows
service: security
definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection (not in the baseline recommendations by Microsoft). We also recommend extracting the Command field from the embedded XML in the event data.'
detection:
selection:
EventID: 4698
timeframe: 7d
condition: selection | count(TaskName) < 5
falsepositives:
- Software installation
- Software updates
level: low