title: Suspicious Scheduled Task Creation Involving Temp Folder
author: Florian Roth
date: 2021/03/11
description: Detects the creation of scheduled tasks that involves a temporary folder
    and runs only once
detection:
    SELECTION_1:
        EventID: 1
    SELECTION_2:
        Image: '*\schtasks.exe'
    SELECTION_3:
        CommandLine: '* /create *'
    SELECTION_4:
        CommandLine: '* /sc once *'
    SELECTION_5:
        CommandLine: '*\Temp\\*'
    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
falsepositives:
- Administrative activity
- Software installation
fields:
- CommandLine
- ParentCommandLine
id: 39019a4e-317f-4ce3-ae63-309a8c6b53c5
level: high
logsource:
    category: process_creation
    product: windows
references:
- https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3
status: experimental
tags:
- attack.execution
- attack.persistence
- attack.t1053.005
yml_filename: win_susp_schtask_creation_temp_folder.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation