LoFP / the main source of false positives could be the legitimate use of scheduled tasks from these directories. careful tuning of this search may be necessary to suit the specifics of your environment, reducing the rate of false positives.

Techniques

• T1053
• T1053.005

Sample rules

Suspicious Scheduled Task from Public Directory

• source: splunk
• technicques:
  • T1053.005
  • T1053

Description

The following analytic identifies the creation of scheduled tasks that execute binaries or scripts from public directories, such as users\public, \programdata, or \windows\temp, using schtasks.exe with the /create command. It leverages Sysmon Event ID 1 data to detect this behavior. This activity is significant because it often indicates an attempt to maintain persistence or execute malicious scripts, which are common tactics in malware deployment. If confirmed as malicious, this could lead to data compromise, unauthorized access, and potential lateral movement within the network.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe (Processes.process=*\\users\\public\\* OR Processes.process=*\\programdata\\* OR Processes.process=*windows\\temp*)  Processes.process=*/create* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `suspicious_scheduled_task_from_public_directory_filter`