Stats
Actions
Tags
Detects malicious Windows scheduled tasks using Sysmon events ID 1/11 and security events 4698/4702. Links to suspicious parent processes, public paths, and encoded commands for persistence/lateral movement hunting (T1053.005).
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills-zh:detecting-malicious-scheduled-tasks-with-sysmonThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
攻击者滥用 Windows 任务计划程序(schtasks.exe、at.exe)进行持久化(T1053.005)
攻击者滥用 Windows 任务计划程序(schtasks.exe、at.exe)进行持久化(T1053.005) 和横向移动。Sysmon 事件 ID 1 捕获 schtasks.exe 进程创建及完整命令行参数, 事件 ID 11 捕获写入 C:\Windows\System32\Tasks\ 的任务 XML 文件。 Windows 安全事件 4698 记录任务注册详情。 本技能涵盖构建关联这些事件的检测规则,以识别从可疑路径创建、带编码 payload 或针对远程系统的恶意计划任务。
[CRITICAL] 检测到可疑计划任务
Task: \Microsoft\Windows\UpdateCheck
Command: powershell.exe -enc SQBuAHYAbwBrAGUALQBXAGUAYgBSAGU...
Created By: DOMAIN\compromised_user
Parent Process: cmd.exe (PID 4532)
Source: \\192.168.1.50(远程创建)
MITRE: T1053.005 - 计划任务/作业
npx claudepluginhub killvxk/cybersecurity-skills-zhDetects malicious scheduled task creation/modification using Sysmon Event IDs 1 (schtasks.exe), 11 (task XML), and Windows Security 4698/4702. Correlates suspicious parents, paths, and encoded commands for persistence/lateral movement.
Detects malicious scheduled task creation with Sysmon Event IDs 1 (schtasks.exe), 11 (task XML), and Security Event 4698. Correlates suspicious parent processes and encoded commands for persistence/lateral movement.
Detects malicious scheduled task creation with Sysmon Event IDs 1 (schtasks.exe), 11 (task XML), and Security Event 4698. Correlates suspicious parent processes and encoded commands for persistence/lateral movement.