Behind The Detection — Schtasks

Bit Of Background

C:\Windows\system32\schtasks.exe /Create /RU NT AUTHORITY\SYSTEM /tn ayttpnzc /tr regsvr32.exe -s "c:\Users\[REDACTED]\Desktop\7611346142\c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a.dll" /SC ONCE /Z /ST 15:21 /ET, 15:33
"C:\Windows\System32\schtasks.exe" /CREATE /SC ONCE /ST 17:21:58 /TN 9T6ukfi6 /TR "'C:\Users\pagefilerpqy.exe'" /f /RL HIGHEST
C:\Windows\system32\schtasks.exe /change /tn MaliciousTask /tr C:\Users\Public\malware.exe

Schtasks CLI Options

Are “Scheduled Tasks” Malicious?

  • Uncommon processes running from “C:\Users\Public” or %TEMP%
  • Uncommon Child/Parent relationships
  • DLLs being loaded from uncommon locations
  • …Etc

CommandLine Detection

C:\Windows\system32\schtasks.exe /Create /RU NT AUTHORITY\SYSTEM /tn ayttpnzc /tr regsvr32.exe -s "c:\Users\[REDACTED]\Desktop\7611346142\c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a.dll" /SC ONCE /Z /ST 15:21 /ET, 15:33
  • A task is being created we know this because of the “/Create” flag
  • The “/RU” flag indicates the level of permissions that this task will run with (in this case it’s “NT AUTHORITY\SYSTEM”
  • The task is called “ayttpnzc” (See “/tn” flag)
  • The “/Tr” flag indicates the task being run which in this case is
“regsvr32.exe -s “c:\Users\[REDACTED]\Desktop\7611346142\c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a.dll”
  • The last couple of flags are related to the type of schedule (see MSDN for full list) and the time of execution (we’ll skip this for now)

Creating Tasks With “/Create”

Image == "schtasks.exe" and CommandLine contains "/Create"
https://github.com/SigmaHQ/sigma/blob/1e16ed00905a496cbc3b0a1a03d4c2f6f4b63de2/rules/windows/process_creation/proc_creation_win_susp_schtask_creation.yml

Specifying The User With “/RU”

Image == "schtasks.exe" and CommandLine contains "/RU" and CommandLine contains "NT AUTHORITY\SYSTEM"
https://github.com/SigmaHQ/sigma/blob/dabc74af0c8b15cf22f50df9f225ec3b8c599d80/rules/windows/process_creation/proc_creation_win_schtasks_system.yml

Task Being Run With “/TR”

“regsvr32.exe -s “c:\Users\[REDACTED]\Desktop\7611346142\c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a.dll”
  • “Regsvr32.exe” being executed as part of the scheduled task
  • The DLL is located on the “Desktop”
  • The DLL name is very random
Image == "schtasks.exe" and CommandLine contains [Suspicious Folder] and CommandLine contains [Suspicious Binary Or Command]
https://github.com/SigmaHQ/sigma/blob/dabc74af0c8b15cf22f50df9f225ec3b8c599d80/rules/windows/process_creation/proc_creation_win_susp_schtasks_change.yml
"C:\Windows\System32\schtasks.exe" /CREATE /SC ONCE /ST 17:21:58 /TN 9T6ukfi6 /TR "'C:\Users\pagefilerpqy.exe'" /f /RL HIGHEST
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create
C:\Windows\system32\schtasks.exe /change /tn MaliciousTask /tr C:\Users\Public\malware.exe

There Is More Than CLI

Conclusion

Resources

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store