Detects malicious Windows scheduled tasks using Sysmon events ID 1/11 and security events 4698/4702. Links to suspicious parent processes, public paths, and encoded commands for persistence/lateral movement hunting (T1053.005).
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
攻击者滥用 Windows 任务计划程序(schtasks.exe、at.exe)进行持久化(T1053.005)
Detects malicious scheduled task creation/modification using Sysmon Event IDs 1 (schtasks.exe), 11 (task XML), and Windows Security 4698/4702. Correlates suspicious parents, paths, and encoded commands for persistence/lateral movement.
Detects malicious scheduled tasks using Sysmon Events 1/11 and Windows Security 4698/4702. Correlates suspicious processes, paths, and commands for persistence and lateral movement hunting.
Hunts suspicious Windows scheduled tasks for attacker persistence (T1053.005) by analyzing creation events, task properties, and execution patterns. For threat hunting in Windows environments with Sysmon, Splunk, or Sentinel.
Share bugs, ideas, or general feedback.
攻击者滥用 Windows 任务计划程序(schtasks.exe、at.exe)进行持久化(T1053.005) 和横向移动。Sysmon 事件 ID 1 捕获 schtasks.exe 进程创建及完整命令行参数, 事件 ID 11 捕获写入 C:\Windows\System32\Tasks\ 的任务 XML 文件。 Windows 安全事件 4698 记录任务注册详情。 本技能涵盖构建关联这些事件的检测规则,以识别从可疑路径创建、带编码 payload 或针对远程系统的恶意计划任务。
[CRITICAL] 检测到可疑计划任务
Task: \Microsoft\Windows\UpdateCheck
Command: powershell.exe -enc SQBuAHYAbwBrAGUALQBXAGUAYgBSAGU...
Created By: DOMAIN\compromised_user
Parent Process: cmd.exe (PID 4532)
Source: \\192.168.1.50(远程创建)
MITRE: T1053.005 - 计划任务/作业