Techniques
Sample rules
Randomly Generated Scheduled Task Name
- source: splunk
- technicques:
- T1053
- T1053.005
Description
The following hunting analytic leverages Event ID 4698, A scheduled task was created
, to identify the creation of a Scheduled Task with a suspicious, high entropy, Task Name. To achieve this, this analytic also leverages the ut_shannon
function from the URL ToolBox Splunk application. Red teams and adversaries alike may abuse the Task Scheduler to create and start a remote Scheduled Task and obtain remote code execution. To achieve this goal, tools like Impacket or Crapmapexec, typically create a Scheduled Task with a random task name on the victim host. This hunting analytic may help defenders identify Scheduled Tasks created as part of a lateral movement attack. The entropy threshold ut_shannon > 3
should be customized by users. The Command field can be used to determine if the task has malicious intent or not.
Detection logic
`wineventlog_security` EventCode=4698
| xmlkv Message
| lookup ut_shannon_lookup word as Task_Name
| where ut_shannon > 3
| table _time, dest, Task_Name, ut_shannon, Command, Author, Enabled, Hidden
| `randomly_generated_scheduled_task_name_filter`