Suspicious Schedule Task Execution Type OnIdle Set Via Schtasks.EXE

Rule Info

Name
Suspicious Schedule Task Execution Type OnIdle Set Via Schtasks.EXE
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects the setting of a scheduled tasks execution type to "OnIdle". This will specifies that the task runs whenever the system is idle for a specified period of time. Attackers were seen using this type of scheduled tasks in order to achieve stealth and persistence.
Reference
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change
Date
2024-06-06 00:00:00
Modified
None
Id
43460610-98d5-4f7f-aa4d-8b91c2e3215d
Tags
attack.execution attack.t1053.005
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022