Sample rules
WinEvent Scheduled Task Created to Spawn Shell
- source: splunk
- technicques:
- T1053.005
- T1053
Description
The following query utilizes Windows Security EventCode 4698, indicating ‘a scheduled task was created’, to identify potentially suspicious tasks. These tasks may be registered on Windows through either schtasks.exe or TaskService, and are set up to execute a command with a native Windows shell such as PowerShell, Cmd, Wscript, or Cscript. The search will return the initial and final times the task was registered, along with details like the ‘Command’ set to be executed, ‘Task Name’, ‘Author’, whether it’s ‘Enabled’, and if it is ‘Hidden’. Schtasks.exe is typically found in C:\Windows\system32 and C:\Windows\syswow64. The DLL ’taskschd.dll’ is loaded when either schtasks.exe or TaskService is launched. If this DLL is found loaded by another process, it’s possible that a scheduled task is being registered within the context of that process in memory. During triage, it’s essential to identify the source of the scheduled task. Was it registered via schtasks.exe or TaskService? Review the job that was created and the command set to be executed. It’s also recommended to capture and review any artifacts on disk, and identify any parallel processes within the same timeframe to locate the source.
Detection logic
`wineventlog_security` EventCode=4698 TaskContent IN ("*powershell.exe*", "*wscript.exe*", "*cscript.exe*", "*cmd.exe*", "*sh.exe*", "*ksh.exe*", "*zsh.exe*", "*bash.exe*", "*scrcons.exe*", "*pwsh.exe*")
| stats count min(_time) as firstTime max(_time) as lastTime by Computer, TaskName, TaskContent
| rename Computer as dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `winevent_scheduled_task_created_to_spawn_shell_filter`
WinEvent Scheduled Task Created Within Public Path
- source: splunk
- technicques:
- T1053.005
- T1053
Description
The following analytic utilizes Windows Security EventCode 4698, which indicates the creation of a scheduled task on a Windows system. The purpose of this query is to identify suspicious tasks that have been registered using either schtasks.exe or TaskService and involve executing a command from a user-writable file path. When this analytic is triggered, it provides information such as the first and last registration time of the task, the command to be executed, the task name, author, and whether it is set as hidden or not. It is worth noting that schtasks.exe is commonly located in C:\Windows\system32 and C:\Windows\syswow64, and it loads the taskschd.dll DLL when launched. If this DLL is loaded by another process, it suggests that a scheduled task may be registered within that process’s context in memory. During the triage process, it is essential to identify the source of the scheduled task creation, whether it was initiated through schtasks.exe or TaskService. The analyst should review the task that was created, including the command to be executed. Additionally, any artifacts on disk related to the task should be captured and analyzed. It is also recommended to identify any parallel processes that occurred within the same timeframe to determine the source of the task creation. By conducting this triage process, security analysts can gain insights into potentiallymalicious or suspicious scheduled tasks, helping them identify the source and assess the impact of the task. This analytic is valuable for a Security Operations Center (SOC) as it can detect unauthorized or suspicious activity that could indicate an attacker’s attempt to establish persistence or execute unauthorized commands on the system.
Detection logic
`wineventlog_security` EventCode=4698 TaskContent IN ("*\\users\\public\\*", "*\\programdata\\*", "*\\temp\\*", "*\\Windows\\Tasks\\*", "*\\appdata\\*", "*\\perflogs\\*")
| stats count min(_time) as firstTime max(_time) as lastTime by Computer, TaskName, TaskContent
| rename Computer as dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `winevent_scheduled_task_created_within_public_path_filter`