title: Rare Schtasks Creations
author: Florian Roth
date: 2017/03/23
description: Detects rare scheduled tasks creations that only appear a few times per
  time frame and could reveal password dumpers, backdoor installs or other types of
  malicious code
detection:
  SELECTION_1:
    EventID: 4698
  condition: SELECTION_1 | count() by TaskName < 5
falsepositives:
- Software installation
- Software updates
id: b0d77106-7bb0-41fe-bd94-d1752164d066
level: low
logsource:
  definition: The Advanced Audit Policy setting Object Access > Audit Other Object
    Access Events has to be configured to allow this detection (not in the baseline
    recommendations by Microsoft). We also recommend extracting the Command field
    from the embedded XML in the event data.
  product: windows
  service: security
status: experimental
tags:
- attack.execution
- attack.privilege_escalation
- attack.persistence
- attack.t1053
- car.2013-08-001
- attack.t1053.005
ruletype: SIGMA