PowerShell Runs an Autoupdate Scheduled Task for ACR Stealer Persistence
Detects the PowerShell-driven schtasks pattern Microsoft published for ACR Stealer persistence, where an existing hidden software-update themed task is run after the payload is staged.
Sigma source
Raw YAMLtitle: PowerShell Runs an Autoupdate Scheduled Task for ACR Stealer Persistence
id: 5f502b08-6f12-4a59-965b-7352f8a8191b
status: stable
author: FRAME ZERO
date: 2026-07-17
description: Detects the PowerShell-driven schtasks pattern Microsoft published for ACR Stealer persistence, where an existing hidden software-update themed task is run after the payload is staged.
references:
- https://www.microsoft.com/en-us/security/blog/2026/07/16/acr-stealer-two-observed-intrusion-chains-amid-increased-threat-activity/
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\powershell.exe'
selection_image:
Image|endswith: '\schtasks.exe'
selection_task:
CommandLine|contains|all:
- '/run /tn '
- 'Autoupdate'
selection_date:
CommandLine|re: '[0-9]{8}'
condition: all of selection_*
falsepositives:
- Administrative or software-deployment scripts that intentionally create or trigger a task named Autoupdate with the same date-suffixed pattern
- Endpoint-management tooling that stages legitimate update tasks through PowerShell before execution
level: high
tags:
- attack.persistence
- attack.t1053.005
related_publication: acr-stealer-clickfix-two-delivery-chains
telemetry_assumptions:
- Process telemetry records parent and child images together with the full schtasks command line.
- Analysts can review the created task definition, target payload path, and preceding directory creation below user-writable locations.