Techniques
Sample rules
Schtasks scheduling job on remote system
- source: splunk
- technicques:
- T1053.005
- T1053
Description
The following analytic is designed to detect suspicious command-line arguments executed through ‘schtasks.exe’ to create a scheduled task on a remote endpoint. The analytic scans process data, checking for instances where ‘schtasks.exe’ has been used with specific command-line flags that suggest an attempt at lateral movement or remote code execution, common techniques employed by adversaries and red teams. Key data points include the process name, the specific command line used, the parent process name, the target destination, and the user involved. Also, timestamp data gives context to when these activities occurred.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = schtasks.exe OR Processes.original_file_name=schtasks.exe) (Processes.process="*/create*" AND Processes.process="*/s*") by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `schtasks_scheduling_job_on_remote_system_filter`