Techniques
Sample rules
A scheduled task was updated
- source: elastic
- technicques:
- T1053
Description
Indicates the update of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, by changing the configuration of a legit scheduled task. Some changes such as disabling or enabling a scheduled task are common and may may generate noise.
Detection logic
iam where event.action == "scheduled-task-updated" and
/* excluding tasks created by the computer account */
not user.name : "*$" and
not winlog.event_data.TaskName : "*Microsoft*" and
not winlog.event_data.TaskName :
("\\User_Feed_Synchronization-*",
"\\OneDrive Reporting Task-S-1-5-21*",
"\\OneDrive Reporting Task-S-1-12-1-*",
"\\Hewlett-Packard\\HP Web Products Detection",
"\\Hewlett-Packard\\HPDeviceCheck",
"\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant",
"\\IpamDnsProvisioning",
"\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantAllUsersRun",
"\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun",
"\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun",
"\\Microsoft\\Windows\\.NET Framework\\.NET Framework NGEN v*",
"\\Microsoft\\VisualStudio\\Updates\\BackgroundDownload") and
not winlog.event_data.SubjectUserSid : ("S-1-5-18", "S-1-5-19", "S-1-5-20")
Temporarily Scheduled Task Creation
- source: elastic
- technicques:
- T1053
Description
Indicates the creation and deletion of a scheduled task within a short time interval. Adversaries can use these to proxy malicious execution via the schedule service and perform clean up.
Detection logic
sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m
[iam where event.action == "scheduled-task-created" and not user.name : "*$"]
[iam where event.action == "scheduled-task-deleted" and not user.name : "*$"]
Scheduled Task Created by a Windows Script
- source: elastic
- technicques:
- T1053
- T1059
Description
A scheduled task was created by a Windows script via cscript.exe, wscript.exe or powershell.exe. This can be abused by an adversary to establish persistence.
Detection logic
sequence by host.id with maxspan = 30s
[any where host.os.type == "windows" and
(event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and
(?dll.name : "taskschd.dll" or file.name : "taskschd.dll") and
process.name : ("cscript.exe", "wscript.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe")]
[registry where host.os.type == "windows" and registry.path : (
"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\\Actions",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\\Actions")]
A scheduled task was created
- source: elastic
- technicques:
- T1053
Description
Indicates the creation of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges.
Detection logic
iam where event.action == "scheduled-task-created" and
/* excluding tasks created by the computer account */
not user.name : "*$" and
/* TaskContent is not parsed, exclude by full taskname noisy ones */
not winlog.event_data.TaskName : (
"\\CreateExplorerShellUnelevatedTask",
"\\Hewlett-Packard\\HPDeviceCheck",
"\\Hewlett-Packard\\HP Support Assistant\\WarrantyChecker",
"\\Hewlett-Packard\\HP Support Assistant\\WarrantyChecker_backup",
"\\Hewlett-Packard\\HP Web Products Detection",
"\\Microsoft\\VisualStudio\\Updates\\BackgroundDownload",
"\\OneDrive Standalone Update Task-S-1-5-21*",
"\\OneDrive Standalone Update Task-S-1-12-1-*"
)
Local Scheduled Task Creation
- source: elastic
- technicques:
- T1053
Description
Indicates the creation of a scheduled task. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges.
Detection logic
sequence with maxspan=1m
[process where host.os.type == "windows" and event.type != "end" and
((process.name : ("cmd.exe", "wscript.exe", "rundll32.exe", "regsvr32.exe", "wmic.exe", "mshta.exe",
"powershell.exe", "pwsh.exe", "powershell_ise.exe", "WmiPrvSe.exe", "wsmprovhost.exe", "winrshost.exe") or
process.pe.original_file_name : ("cmd.exe", "wscript.exe", "rundll32.exe", "regsvr32.exe", "wmic.exe", "mshta.exe",
"powershell.exe", "pwsh.dll", "powershell_ise.exe", "WmiPrvSe.exe", "wsmprovhost.exe",
"winrshost.exe")) or
?process.code_signature.trusted == false)] by process.entity_id
[process where host.os.type == "windows" and event.type == "start" and
(process.name : "schtasks.exe" or process.pe.original_file_name == "schtasks.exe") and
process.args : ("/create", "-create") and process.args : ("/RU", "/SC", "/TN", "/TR", "/F", "/XML") and
/* exclude SYSTEM Integrity Level - look for task creations by non-SYSTEM user */
not (?process.Ext.token.integrity_level_name : "System" or ?winlog.event_data.IntegrityLevel : "System")
] by process.parent.entity_id
Outbound Scheduled Task Activity via PowerShell
- source: elastic
- technicques:
- T1053
- T1059
Description
Identifies the PowerShell process loading the Task Scheduler COM DLL followed by an outbound RPC network connection within a short time period. This may indicate lateral movement or remote discovery via scheduled tasks.
Detection logic
sequence by host.id, process.entity_id with maxspan = 5s
[any where host.os.type == "windows" and (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and
(?dll.name : "taskschd.dll" or file.name : "taskschd.dll") and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe")]
[network where host.os.type == "windows" and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and destination.port == 135 and not destination.address in ("127.0.0.1", "::1")]