schedule task via schtasks

rule:
  meta:
    name: schedule task via schtasks
    namespace: persistence/scheduled-tasks
    authors:
      - 0x534a@mailbox.org
      - j.j.vannielen@utwente.nl
    scopes:
      static: function
      dynamic: call
    att&ck:
      - Persistence::Scheduled Task/Job::Scheduled Task [T1053.005]
    references:
      - https://learn.microsoft.com/en-us/windows/win32/taskschd/task-scheduler-start-page
      - https://stmxcsr.com/persistence/scheduled-tasks.html
    examples:
      - 79cde1aa711e321b4939805d27e160be:0x401440
  features:
    - or:
      - and:
        - match: set registry value
        - string: /Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\/i
        - string: /^Actions$/i
      - and:
        - match: host-interaction/process/create
        - or:
          - and:
            - string: /schtasks/i
            - or:
              - string: /\/change/i
              - string: /\/create/i
          - string: /Register-ScheduledTask /i