Detection / DETPublic file

PowerShell Runs an Autoupdate Scheduled Task for ACR Stealer Persistence

Detects the PowerShell-driven schtasks pattern Microsoft published for ACR Stealer persistence, where an existing hidden software-update themed task is run after the payload is staged.

Sigma source

Raw YAML
title: PowerShell Runs an Autoupdate Scheduled Task for ACR Stealer Persistence
id: 5f502b08-6f12-4a59-965b-7352f8a8191b
status: stable
author: FRAME ZERO
date: 2026-07-17
description: Detects the PowerShell-driven schtasks pattern Microsoft published for ACR Stealer persistence, where an existing hidden software-update themed task is run after the payload is staged.
references:
  - https://www.microsoft.com/en-us/security/blog/2026/07/16/acr-stealer-two-observed-intrusion-chains-amid-increased-threat-activity/
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith: '\powershell.exe'
  selection_image:
    Image|endswith: '\schtasks.exe'
  selection_task:
    CommandLine|contains|all:
      - '/run /tn '
      - 'Autoupdate'
  selection_date:
    CommandLine|re: '[0-9]{8}'
  condition: all of selection_*
falsepositives:
  - Administrative or software-deployment scripts that intentionally create or trigger a task named Autoupdate with the same date-suffixed pattern
  - Endpoint-management tooling that stages legitimate update tasks through PowerShell before execution
level: high
tags:
  - attack.persistence
  - attack.t1053.005
related_publication: acr-stealer-clickfix-two-delivery-chains
telemetry_assumptions:
  - Process telemetry records parent and child images together with the full schtasks command line.
  - Analysts can review the created task definition, target payload path, and preceding directory creation below user-writable locations.

Relationships

Related files