LoFP / false positives may be present based on legacy applications or utilities. win32_scheduledjob uses the remote procedure call (rpc) protocol to create scheduled tasks on remote computers. it uses the dcom (distributed component object model) infrastructure to establish a connection with the remote computer and invoke the necessary methods. the rpc service needs to be running on both the local and remote computers for the communication to take place.

Techniques

• T1059
• T1059.001

Sample rules

Windows PowerShell WMI Win32 ScheduledJob

• source: splunk
• technicques:
  • T1059.001
  • T1059

Description

The following analytic detects the use of the Win32_ScheduledJob WMI class via PowerShell script block logging. This class, which manages scheduled tasks, is disabled by default due to security concerns and must be explicitly enabled through registry modifications. The detection leverages PowerShell event code 4104 and script block text analysis. Monitoring this activity is crucial as it may indicate malicious intent, especially if the class was enabled by an attacker. If confirmed malicious, this could allow attackers to persist in the environment by creating scheduled tasks.

Detection logic

`powershell` EventCode=4104 ScriptBlockText="*win32_scheduledjob*" 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID 
| rename Computer as dest 
| rename UserID as user 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_powershell_wmi_win32_scheduledjob_filter`