Outbound Scheduled Task Activity via PowerShell

calendar Oct 15, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Execution Data Source: Elastic Defend Data Source: Sysmon  ·
Share on: linkedin copy

Identifies the PowerShell process loading the Task Scheduler COM DLL followed by an outbound RPC network connection within a short time period. This may indicate lateral movement or remote discovery via scheduled tasks.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/12/15"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5updated_date = "2024/10/15"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies the PowerShell process loading the Task Scheduler COM DLL followed by an outbound RPC network connection
13within a short time period. This may indicate lateral movement or remote discovery via scheduled tasks.
14"""
15false_positives = ["Legitimate scheduled tasks may be created during installation of new software."]
16from = "now-9m"
17index = [
18    "winlogbeat-*",
19    "logs-endpoint.events.library-*",
20    "logs-endpoint.events.network-*",
21    "logs-windows.sysmon_operational-*",
22]
23language = "eql"
24license = "Elastic License v2"
25name = "Outbound Scheduled Task Activity via PowerShell"
26references = [
27    "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/",
28    "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language",
29]
30risk_score = 47
31rule_id = "5cd55388-a19c-47c7-8ec4-f41656c2fded"
32severity = "medium"
33tags = [
34    "Domain: Endpoint",
35    "OS: Windows",
36    "Use Case: Threat Detection",
37    "Tactic: Execution",
38    "Data Source: Elastic Defend",
39    "Data Source: Sysmon",
40]
41type = "eql"
42
43query = '''
44sequence by host.id, process.entity_id with maxspan = 5s
45 [any where host.os.type == "windows" and (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and
46  (?dll.name : "taskschd.dll" or file.name : "taskschd.dll") and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe")]
47 [network where host.os.type == "windows" and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and destination.port == 135 and not destination.address in ("127.0.0.1", "::1")]
48'''
49
50
51[[rule.threat]]
52framework = "MITRE ATT&CK"
53[[rule.threat.technique]]
54id = "T1053"
55name = "Scheduled Task/Job"
56reference = "https://attack.mitre.org/techniques/T1053/"
57[[rule.threat.technique.subtechnique]]
58id = "T1053.005"
59name = "Scheduled Task"
60reference = "https://attack.mitre.org/techniques/T1053/005/"
61
62
63[[rule.threat.technique]]
64id = "T1059"
65name = "Command and Scripting Interpreter"
66reference = "https://attack.mitre.org/techniques/T1059/"
67[[rule.threat.technique.subtechnique]]
68id = "T1059.001"
69name = "PowerShell"
70reference = "https://attack.mitre.org/techniques/T1059/001/"
71
72
73
74[rule.threat.tactic]
75id = "TA0002"
76name = "Execution"
77reference = "https://attack.mitre.org/tactics/TA0002/"

References

  • Dark Halo Leverages SolarWinds Compromise to Breach Organizations

    Volexity is releasing additional research and indicators associated with compromises impacting customers of the SolarWinds Orion software platform. Volexity has also published a guide for responding to the SolarWinds breach, and how to detect, prevent, and remediate this supply chain attack. On Sunday, December 13, 2020, FireEye released a blog detailing an alleged compromise to the company SolarWinds. This compromise involved a backdoor being distributed through an update to SolarWind's Orion software product. FireEye attributed this activity to an unknown threat actor it tracks as UNC2452. Volexity has subsequently been able to tie these attacks to multiple incidents it worked in late 2019 and 2020 at a US-based think tank. Volexity tracks this threat actor under the name Dark Halo. At one particular think tank, Volexity worked three separate incidents involving Dark Halo. In the initial incident, Volexity found multiple tools, backdoors, and malware implants that had allowed the attacker to remain undetected for […]


    Read More

  • Hunting for Lateral Movement using Event Query Language — Elastic Security Labs

    Elastic Event Query Language (EQL) correlation capabilities enable practitioners to capture complex behavior for adversary Lateral Movement techniques. Learn how to detect a variety of such techniques in this blog post.


    Read More

Related rules

to-top