LoFP / the main source of false positives could be the legitimate use of scheduled tasks from these directories. careful tuning of this search may be necessary to suit the specifics of your environment, reducing the rate of false positives.

Techniques

• T1053
• T1053.005

Sample rules

Suspicious Scheduled Task from Public Directory

• source: splunk
• technicques:
  • T1053.005
  • T1053

Description

The following analytic, “Suspicious Scheduled Task from Public Directory”, detects the registration of scheduled tasks aimed to execute a binary or script from public directories, a behavior often associated with malware deployment. It utilizes the Sysmon Event ID 1 data source, searching for instances where schtasks.exe is connected with the directories users\public, \programdata, or \windows\temp and involves the /create command. The registration of such scheduled tasks in public directories could suggest that an attacker is trying to maintain persistence or execute malicious scripts. If confirmed as a true positive, this could lead to data compromise, unauthorized access, and potential lateral movement within the network.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe (Processes.process=*\\users\\public\\* OR Processes.process=*\\programdata\\* OR Processes.process=*windows\\temp*)  Processes.process=*/create* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `suspicious_scheduled_task_from_public_directory_filter`