Outbound Scheduled Task Activity via PowerShell
Identifies the PowerShell process loading the Task Scheduler COM DLL followed by an outbound RPC network connection within a short time period. This may indicate lateral movement or remote discovery via scheduled tasks.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/12/15"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies the PowerShell process loading the Task Scheduler COM DLL followed by an outbound RPC network connection
11within a short time period. This may indicate lateral movement or remote discovery via scheduled tasks.
12"""
13false_positives = ["Legitimate scheduled tasks may be created during installation of new software."]
14from = "now-9m"
15index = [
16 "winlogbeat-*",
17 "logs-endpoint.events.library-*",
18 "logs-endpoint.events.network-*",
19 "logs-windows.sysmon_operational-*",
20]
21language = "eql"
22license = "Elastic License v2"
23name = "Outbound Scheduled Task Activity via PowerShell"
24references = [
25 "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/",
26]
27risk_score = 47
28rule_id = "5cd55388-a19c-47c7-8ec4-f41656c2fded"
29severity = "medium"
30tags = [
31 "Domain: Endpoint",
32 "OS: Windows",
33 "Use Case: Threat Detection",
34 "Tactic: Execution",
35 "Data Source: Elastic Defend",
36 "Data Source: Sysmon",
37]
38type = "eql"
39
40query = '''
41sequence by host.id, process.entity_id with maxspan = 5s
42 [any where host.os.type == "windows" and (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and
43 (?dll.name : "taskschd.dll" or file.name : "taskschd.dll") and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe")]
44 [network where host.os.type == "windows" and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and destination.port == 135 and not destination.address in ("127.0.0.1", "::1")]
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1053"
52name = "Scheduled Task/Job"
53reference = "https://attack.mitre.org/techniques/T1053/"
54[[rule.threat.technique.subtechnique]]
55id = "T1053.005"
56name = "Scheduled Task"
57reference = "https://attack.mitre.org/techniques/T1053/005/"
58
59
60[[rule.threat.technique]]
61id = "T1059"
62name = "Command and Scripting Interpreter"
63reference = "https://attack.mitre.org/techniques/T1059/"
64[[rule.threat.technique.subtechnique]]
65id = "T1059.001"
66name = "PowerShell"
67reference = "https://attack.mitre.org/techniques/T1059/001/"
68
69
70
71[rule.threat.tactic]
72id = "TA0002"
73name = "Execution"
74reference = "https://attack.mitre.org/tactics/TA0002/"
References
Related rules
- Command Prompt Network Connection
- Command Shell Activity Started via RunDLL32
- Conhost Spawned By Suspicious Parent Process
- Execution of File Written or Modified by PDF Reader
- Execution via local SxS Shared Module