From afb9bac150bb6cccc6f21975abf3da14627d4193 Mon Sep 17 00:00:00 2001
From: "@" <@>
Date: Fri, 18 Sep 2020 15:52:24 -0500
Subject: [PATCH] Added T1053.005 Scheduled Tasks

---
 Persistence.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/Persistence.md b/Persistence.md
index a87bba1..0cebf61 100644
--- a/Persistence.md
+++ b/Persistence.md
@@ -184,6 +184,11 @@ FileFullName ContainsCIS "Programs\Startup" AND FileType In Contains Anycase ("v
 ### T1053.005 Scheduled Task
 Atomics: [T1053.005](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md)
 
+Our goal with this query is to detect any schtasks /create command as well as any use of the New-ScheduledTask* cmdlets from powershell, and to prevent noise from services and updates we'll exclude a list of system "trusted" SrcProcParentName executables.
+
+```
+(( TgtProcName = "schtasks.exe" AND TgtProcCmdLine ContainsCIS "/create" ) OR ( SrcProcCmdLine ContainsCIS "New-ScheduledTask" OR SrcProcCmdScript  ContainsCIS "New-ScheduledTask" )) AND SrcProcParentName Not In ("services.exe","OfficeClickToRun.exe")
+```
 
 ### T1546.002 Screensaver
 Atomics: [T1546.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md)