Remote Scheduled Task Creation via RPC
Identifies scheduled task creation from a remote source. This could be indicative of adversary lateral movement.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/08/29"
3integration = ["system", "windows"]
4maturity = "production"
5updated_date = "2024/10/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = "Identifies scheduled task creation from a remote source. This could be indicative of adversary lateral movement.\n"
12from = "now-9m"
13index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"]
14language = "eql"
15license = "Elastic License v2"
16name = "Remote Scheduled Task Creation via RPC"
17note = """## Triage and analysis
18
19### Investigating Remote Scheduled Task Creation
20
21[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism for persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries. When investigating scheduled tasks that were set up remotely, one of the first steps should be to determine the original intent behind the configuration and to verify if the activity is tied to benign behavior such as software installation or any kind of network administrator work. One objective for these alerts is to understand the configured action within the scheduled task. This is captured within the registry event data for this rule and can be base64 decoded to view the value.
22
23#### Possible investigation steps
24
25- Review the TaskContent value to investigate the task configured action.
26- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.
27- Further examination should include review of host-based artifacts and network logs from around when the scheduled task was created, on both the source and target machines.
28
29### False positive analysis
30
31- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature within Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to further understand the source of the activity and determine the intent based on the scheduled task's contents.
32
33### Related rules
34
35- Service Command Lateral Movement - d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc
36- Remotely Started Services via RPC - aa9a274d-6b53-424d-ac5e-cb8ca4251650
37- Remote Scheduled Task Creation - 954ee7c8-5437-49ae-b2d6-2960883898e9
38
39### Response and remediation
40
41- Initiate the incident response process based on the outcome of the triage.
42- Isolate the involved host to prevent further post-compromise behavior.
43- Remove scheduled task and any other related artifacts.
44- Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks.
45"""
46risk_score = 47
47rule_id = "9c865691-5599-447a-bac9-b3f2df5f9a9d"
48severity = "medium"
49tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: System"]
50timestamp_override = "event.ingested"
51type = "eql"
52
53query = '''
54iam where event.action == "scheduled-task-created" and
55 winlog.event_data.RpcCallClientLocality : "0" and winlog.event_data.ClientProcessId : "0"
56'''
57
58
59[[rule.threat]]
60framework = "MITRE ATT&CK"
61[[rule.threat.technique]]
62id = "T1021"
63name = "Remote Services"
64reference = "https://attack.mitre.org/techniques/T1021/"
65
66
67[rule.threat.tactic]
68id = "TA0008"
69name = "Lateral Movement"
70reference = "https://attack.mitre.org/tactics/TA0008/"
71[[rule.threat]]
72framework = "MITRE ATT&CK"
73[[rule.threat.technique]]
74id = "T1053"
75name = "Scheduled Task/Job"
76reference = "https://attack.mitre.org/techniques/T1053/"
77[[rule.threat.technique.subtechnique]]
78id = "T1053.005"
79name = "Scheduled Task"
80reference = "https://attack.mitre.org/techniques/T1053/005/"
81
82
83
84[rule.threat.tactic]
85id = "TA0002"
86name = "Execution"
87reference = "https://attack.mitre.org/tactics/TA0002/"
Triage and analysis
Investigating Remote Scheduled Task Creation
Scheduled tasks are a great mechanism for persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries. When investigating scheduled tasks that were set up remotely, one of the first steps should be to determine the original intent behind the configuration and to verify if the activity is tied to benign behavior such as software installation or any kind of network administrator work. One objective for these alerts is to understand the configured action within the scheduled task. This is captured within the registry event data for this rule and can be base64 decoded to view the value.
Possible investigation steps
- Review the TaskContent value to investigate the task configured action.
- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.
- Further examination should include review of host-based artifacts and network logs from around when the scheduled task was created, on both the source and target machines.
False positive analysis
- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature within Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to further understand the source of the activity and determine the intent based on the scheduled task's contents.
Related rules
- Service Command Lateral Movement - d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc
- Remotely Started Services via RPC - aa9a274d-6b53-424d-ac5e-cb8ca4251650
- Remote Scheduled Task Creation - 954ee7c8-5437-49ae-b2d6-2960883898e9
Response and remediation
- Initiate the incident response process based on the outcome of the triage.
- Isolate the involved host to prevent further post-compromise behavior.
- Remove scheduled task and any other related artifacts.
- Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks.
Related rules
- Remote Windows Service Installed
- Scheduled Task Execution at Scale via GPO
- Suspicious Remote Registry Access via SeBackupPrivilege
- A scheduled task was created
- A scheduled task was updated