Suspicious Scheduled Task Creation of Legitimate MSC File - Process

Swachchhanda Shrawan Poudel (Nextron Systems)

Detects the creation of suspicious Windows Scheduled Tasks via `schtasks.exe`, related to .msc files such as 'CompMgmt' or 'eventvwr'. These are legitimate Windows services, but during their execution, they check the registry key `HKCU\Software\Classes\mscfile\shell\open\command` to determine the location of `mmc.exe`, which is used to open the `eventvwr.msc` or `CompMgmt.msc`. If the registry value is modified to point to a malicious binary, that binary will be executed instead of `mmc.exe` as a privileged process, bypassing the UAC prompt. Adversaries could exploit this by modifying the `HKCU\Software\Classes\mscfile\shell\open\command` registry key to point to a malicious binary, allowing it to run with elevated privileges without user consent bypassing UAC. For persistence, they could create a scheduled task of these services to ensure the malicious binary is executed. Therefore, it is also recommended to verify whether the registry value has been tampered with or not to verify malicious activity.

2025-03-07 00:00:00

None

a20b230f-4163-4cb8-bc53-1fca0ae34bdd

attack.persistence attack.t1053.005 attack.privilege-escalation attack.defense-evasion attack.t1548.002

Nextron Sigma feed only (private)