Remote Scheduled Task Creation

  1[metadata]
  2creation_date = "2020/11/20"
  3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2026/05/04"
  6
  7[rule]
  8author = ["Elastic"]
  9description = "Identifies remote scheduled task creations on a target host. This could be indicative of adversary lateral movement."
 10from = "now-9m"
 11index = [
 12    "logs-endpoint.events.registry-*",
 13    "logs-endpoint.events.network-*",
 14    "winlogbeat-*",
 15    "logs-windows.sysmon_operational-*",
 16    "logs-sentinel_one_cloud_funnel.*",
 17]
 18language = "eql"
 19license = "Elastic License v2"
 20name = "Remote Scheduled Task Creation"
 21note = """## Triage and analysis
 22
 23### Investigating Remote Scheduled Task Creation
 24
 25[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism for persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries. When investigating scheduled tasks that were set up remotely, one of the first steps should be to determine the original intent behind the configuration and to verify if the activity is tied to benign behavior such as software installation or any kind of network administrator work. One objective for these alerts is to understand the configured action within the scheduled task. This is captured within the registry event data for this rule and can be base64 decoded to view the value.
 26
 27#### Possible investigation steps
 28
 29- Review the base64 encoded tasks actions registry value to investigate the task configured action.
 30- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.
 31- Further examination should include review of host-based artifacts and network logs from around when the scheduled task was created, on both the source and target machines.
 32
 33### False positive analysis
 34
 35- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature within Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to further understand the source of the activity and determine the intent based on the scheduled task's contents.
 36
 37### Related rules
 38
 39- Service Command Lateral Movement - d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc
 40- Remotely Started Services via RPC - aa9a274d-6b53-424d-ac5e-cb8ca4251650
 41
 42### Response and remediation
 43
 44- Initiate the incident response process based on the outcome of the triage.
 45- Isolate the involved host to prevent further post-compromise behavior.
 46- Remove scheduled task and any other related artifacts.
 47- Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks.
 48"""
 49
 50setup = """## Setup
 51
 52This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
 53
 54Setup instructions: https://ela.st/install-elastic-defend
 55
 56### Additional data sources
 57
 58This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
 59
 60- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
 61- [Sysmon Event ID 3 - Network Connection](https://ela.st/sysmon-event-3-setup)
 62- [Sysmon Registry Events](https://ela.st/sysmon-event-reg-setup)
 63"""
 64
 65references = ["https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language"]
 66risk_score = 47
 67rule_id = "954ee7c8-5437-49ae-b2d6-2960883898e9"
 68severity = "medium"
 69tags = [
 70    "Domain: Endpoint",
 71    "OS: Windows",
 72    "Use Case: Threat Detection",
 73    "Tactic: Lateral Movement",
 74    "Resources: Investigation Guide",
 75    "Data Source: Elastic Defend",
 76    "Data Source: Sysmon",
 77    "Data Source: SentinelOne",
 78]
 79type = "eql"
 80
 81query = '''
 82/* Task Scheduler service incoming connection followed by TaskCache registry modification  */
 83
 84sequence by host.id, process.entity_id with maxspan = 1m
 85   [network where host.os.type == "windows" and process.name : "svchost.exe" and
 86   network.direction : ("incoming", "ingress") and source.port >= 49152 and destination.port >= 49152 and
 87   source.ip != "127.0.0.1" and source.ip != "::1" and source.ip != null
 88   ]
 89   [registry where host.os.type == "windows" and event.type == "change" and registry.value : "Actions" and
 90    registry.path : "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\\Actions"]
 91'''
 92
 93
 94[[rule.threat]]
 95framework = "MITRE ATT&CK"
 96[[rule.threat.technique]]
 97id = "T1021"
 98name = "Remote Services"
 99reference = "https://attack.mitre.org/techniques/T1021/"
100
101
102[rule.threat.tactic]
103id = "TA0008"
104name = "Lateral Movement"
105reference = "https://attack.mitre.org/tactics/TA0008/"
106[[rule.threat]]
107framework = "MITRE ATT&CK"
108[[rule.threat.technique]]
109id = "T1053"
110name = "Scheduled Task/Job"
111reference = "https://attack.mitre.org/techniques/T1053/"
112[[rule.threat.technique.subtechnique]]
113id = "T1053.005"
114name = "Scheduled Task"
115reference = "https://attack.mitre.org/techniques/T1053/005/"
116
117
118
119[rule.threat.tactic]
120id = "TA0002"
121name = "Execution"
122reference = "https://attack.mitre.org/tactics/TA0002/"