Outbound Scheduled Task Activity via PowerShell

  1[metadata]
  2creation_date = "2020/12/15"
  3integration = ["endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies the PowerShell process loading the Task Scheduler COM DLL followed by an outbound RPC network connection
 13within a short time period. This may indicate lateral movement or remote discovery via scheduled tasks.
 14"""
 15false_positives = ["Legitimate scheduled tasks may be created during installation of new software."]
 16from = "now-9m"
 17index = [
 18    "winlogbeat-*",
 19    "logs-endpoint.events.library-*",
 20    "logs-endpoint.events.network-*",
 21    "logs-windows.sysmon_operational-*",
 22]
 23language = "eql"
 24license = "Elastic License v2"
 25name = "Outbound Scheduled Task Activity via PowerShell"
 26references = [
 27    "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/",
 28    "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language",
 29]
 30risk_score = 47
 31rule_id = "5cd55388-a19c-47c7-8ec4-f41656c2fded"
 32severity = "medium"
 33tags = [
 34    "Domain: Endpoint",
 35    "OS: Windows",
 36    "Use Case: Threat Detection",
 37    "Tactic: Execution",
 38    "Data Source: Elastic Defend",
 39    "Data Source: Sysmon",
 40    "Resources: Investigation Guide",
 41]
 42type = "eql"
 43
 44query = '''
 45sequence by host.id, process.entity_id with maxspan = 5s
 46 [any where host.os.type == "windows" and (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and
 47  (?dll.name : "taskschd.dll" or file.name : "taskschd.dll") and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe")]
 48 [network where host.os.type == "windows" and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and destination.port == 135 and not destination.address in ("127.0.0.1", "::1")]
 49'''
 50note = """## Triage and analysis
 51
 52> **Disclaimer**:
 53> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 54
 55### Investigating Outbound Scheduled Task Activity via PowerShell
 56
 57PowerShell, a powerful scripting language in Windows, can automate tasks via the Task Scheduler. Adversaries exploit this by creating scheduled tasks to execute malicious scripts, facilitating lateral movement or remote discovery. The detection rule identifies suspicious PowerShell activity by monitoring for the Task Scheduler DLL load and subsequent outbound RPC connections, signaling potential misuse.
 58
 59### Possible investigation steps
 60
 61- Review the alert details to identify the specific host.id and process.entity_id associated with the suspicious activity.
 62- Examine the process execution history on the affected host to determine if the PowerShell process (powershell.exe, pwsh.exe, or powershell_ise.exe) has executed any unexpected or unauthorized scripts.
 63- Check the network logs for the host to identify any unusual or unauthorized outbound RPC connections, particularly those targeting port 135, and verify if the destination addresses are legitimate and expected.
 64- Investigate the context of the taskschd.dll library load by reviewing recent scheduled tasks on the host to identify any newly created or modified tasks that could be linked to the alert.
 65- Correlate the alert with other security events or logs from the same host or network segment to identify any patterns or additional indicators of compromise that may suggest lateral movement or remote discovery attempts.
 66
 67### False positive analysis
 68
 69- Legitimate administrative tasks using PowerShell may trigger the rule if they involve loading the Task Scheduler DLL and making RPC connections. To manage this, identify and whitelist specific scripts or processes that are known to perform these actions regularly.
 70- Automated system maintenance or monitoring tools might also load the Task Scheduler DLL and establish RPC connections. Review these tools and exclude their process IDs or hashes from the detection rule to prevent false alerts.
 71- Software updates or installations that use PowerShell scripts could mimic the behavior detected by the rule. Monitor update schedules and temporarily disable the rule during these periods if necessary, or create exceptions for known update processes.
 72- Developers or IT staff using PowerShell for legitimate remote management tasks may inadvertently trigger the rule. Implement user-based exceptions for trusted personnel or restrict the rule to non-administrative accounts to reduce false positives.
 73
 74### Response and remediation
 75
 76- Isolate the affected host immediately from the network to prevent further lateral movement or data exfiltration.
 77- Terminate the suspicious PowerShell process identified in the alert to stop any ongoing malicious activity.
 78- Conduct a forensic analysis of the affected system to identify any additional malicious scheduled tasks or scripts and remove them.
 79- Review and clean up any unauthorized scheduled tasks created on the system to ensure no persistence mechanisms remain.
 80- Reset credentials for any accounts that were used or potentially compromised during the incident to prevent unauthorized access.
 81- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the attack.
 82- Implement enhanced monitoring for similar PowerShell and scheduled task activities across the network to detect and respond to future threats promptly."""
 83
 84
 85[[rule.threat]]
 86framework = "MITRE ATT&CK"
 87[[rule.threat.technique]]
 88id = "T1053"
 89name = "Scheduled Task/Job"
 90reference = "https://attack.mitre.org/techniques/T1053/"
 91[[rule.threat.technique.subtechnique]]
 92id = "T1053.005"
 93name = "Scheduled Task"
 94reference = "https://attack.mitre.org/techniques/T1053/005/"
 95
 96
 97[[rule.threat.technique]]
 98id = "T1059"
 99name = "Command and Scripting Interpreter"
100reference = "https://attack.mitre.org/techniques/T1059/"
101[[rule.threat.technique.subtechnique]]
102id = "T1059.001"
103name = "PowerShell"
104reference = "https://attack.mitre.org/techniques/T1059/001/"
105
106
107
108[rule.threat.tactic]
109id = "TA0002"
110name = "Execution"
111reference = "https://attack.mitre.org/tactics/TA0002/"