Scheduled Task Creation with System Binary Masquerading

Rule Info

Name
Scheduled Task Creation with System Binary Masquerading
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the creation of scheduled tasks that execute the binaries having same names to Windows system binaries, indicating potential masquerading. Adversaries commonly create scheduled tasks with names resembling legitimate system binaries to maintain persistence and evade detection. This technique helps them preserve system access after reboots or system changes while avoiding suspicion.
Reference
Internal Research
Date
2025-04-07 00:00:00
Modified
None
Id
1c70633e-19c7-49c8-aa21-6d83f6b5c9b7
Tags
attack.persistence attack.t1053.005 attack.defense-evasion attack.t1036.005
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022