Techniques
Sample rules
Outbound Scheduled Task Activity via PowerShell
- source: elastic
- technicques:
- T1053
- T1059
Description
Identifies the PowerShell process loading the Task Scheduler COM DLL followed by an outbound RPC network connection within a short time period. This may indicate lateral movement or remote discovery via scheduled tasks.
Detection logic
sequence by host.id, process.entity_id with maxspan = 5s
[any where host.os.type == "windows" and (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and
(?dll.name : "taskschd.dll" or file.name : "taskschd.dll") and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe")]
[network where host.os.type == "windows" and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and destination.port == 135 and not destination.address in ("127.0.0.1", "::1")]
Persistence via a Windows Installer
- source: elastic
- technicques:
- T1053
- T1218
Description
Identifies when the Windows installer process msiexec.exe creates a new persistence entry via scheduled tasks or startup.
Detection logic
any where host.os.type == "windows" and
(process.name : "msiexec.exe" or Effective_process.name : "msiexec.exe") and
(
(event.category == "file" and event.action == "creation" and
file.path : ("?:\\Windows\\System32\\Tasks\\*",
"?:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\*",
"?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*")) or
(event.category == "registry" and event.action == "modification" and
registry.path : ("H*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
"H*\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
"H*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*",
"H*\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*"))
)
Temporarily Scheduled Task Creation
- source: elastic
- technicques:
- T1053
Description
Indicates the creation and deletion of a scheduled task within a short time interval. Adversaries can use these to proxy malicious execution via the schedule service and perform clean up.
Detection logic
sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m
[iam where event.action == "scheduled-task-created" and not user.name : "*$"]
[iam where event.action == "scheduled-task-deleted" and not user.name : "*$"]
Unusual Scheduled Task Update
- source: elastic
- technicques:
- T1053
Description
Identifies first-time modifications to scheduled tasks by user accounts, excluding system activity and machine accounts.
Detection logic
event.category: "iam" and event.code: "4702" and
not winlog.event_data.SubjectUserSid: ("S-1-5-18" or "S-1-5-19" or "S-1-5-20") and
not user.name : *$
A scheduled task was created
- source: elastic
- technicques:
- T1053
Description
Indicates the creation of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges.
Detection logic
iam where event.action == "scheduled-task-created" and
/* excluding tasks created by the computer account */
not user.name : "*$" and
/* TaskContent is not parsed, exclude by full taskname noisy ones */
not winlog.event_data.TaskName : (
"\\CreateExplorerShellUnelevatedTask",
"\\Hewlett-Packard\\HPDeviceCheck",
"\\Hewlett-Packard\\HP Support Assistant\\WarrantyChecker",
"\\Hewlett-Packard\\HP Support Assistant\\WarrantyChecker_backup",
"\\Hewlett-Packard\\HP Web Products Detection",
"\\Microsoft\\VisualStudio\\Updates\\BackgroundDownload",
"\\OneDrive Standalone Update Task-S-1-5-21*",
"\\OneDrive Standalone Update Task-S-1-12-1-*"
)
Scheduled Task Created by a Windows Script
- source: elastic
- technicques:
- T1053
- T1059
Description
A scheduled task was created by a Windows script via cscript.exe, wscript.exe or powershell.exe. This can be abused by an adversary to establish persistence.
Detection logic
sequence by host.id with maxspan = 30s
[any where host.os.type == "windows" and
(event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and
(?dll.name : "taskschd.dll" or file.name : "taskschd.dll") and
process.name : ("cscript.exe", "wscript.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe")]
[registry where host.os.type == "windows" and event.type == "change" and registry.value : "Actions" and
registry.path : (
"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\\Actions",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\\Actions"
)]
Local Scheduled Task Creation
- source: elastic
- technicques:
- T1053
Description
Indicates the creation of a scheduled task. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges.
Detection logic
sequence with maxspan=1m
[process where host.os.type == "windows" and event.type == "start" and
((process.name : ("cmd.exe", "wscript.exe", "rundll32.exe", "regsvr32.exe", "wmic.exe", "mshta.exe",
"powershell.exe", "pwsh.exe", "powershell_ise.exe", "WmiPrvSe.exe", "wsmprovhost.exe", "winrshost.exe") or
process.pe.original_file_name : ("cmd.exe", "wscript.exe", "rundll32.exe", "regsvr32.exe", "wmic.exe", "mshta.exe",
"powershell.exe", "pwsh.dll", "powershell_ise.exe", "WmiPrvSe.exe", "wsmprovhost.exe",
"winrshost.exe")) or
?process.code_signature.trusted == false)] by process.entity_id
[process where host.os.type == "windows" and event.type == "start" and
(process.name : "schtasks.exe" or process.pe.original_file_name == "schtasks.exe") and
process.args : ("/create", "-create") and process.args : ("/RU", "/SC", "/TN", "/TR", "/F", "/XML") and
/* exclude SYSTEM Integrity Level - look for task creations by non-SYSTEM user */
not (?process.Ext.token.integrity_level_name : "System" or ?winlog.event_data.IntegrityLevel : "System")
] by process.parent.entity_id