Schtasks Used For Forcing A Reboot

Description

This search looks for flags passed to schtasks.exe on the command-line that indicate that a forced reboot of system is scheduled.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring

Category

Ransomware

Alert Volume

This search looks for flags passed to schtasks.exe on the command-line that indicate that a forced reboot of system is scheduled.

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Tactics

Execution
Persistence
Privilege Escalation

MITRE ATT&CK Techniques

Scheduled Task/Job

Scheduled Task

MITRE Threat Groups

APT-C-36
APT29
APT3
APT32
APT33
APT39
APT41
BRONZE BUTLER
Blue Mockingbird
Chimera
Cobalt Group
Dragonfly 2.0
FIN10
FIN6
FIN7
FIN8
Frankenstein
Gamaredon Group
Machete
MuddyWater
OilRig
Patchwork
Rancor
Silence
Soft Cell
Stealth Falcon
TEMP.Veles
Wizard Spider
menuPass

Kill Chain Phases

Actions On Objectives

Data Sources

Endpoint Detection and Response

   Help

Schtasks Used For Forcing A Reboot Help

To successfully implement this search you need to be ingesting logs with both the process name and command-line from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

   Search

Open in Search