Persistence via Scheduled Job Creation

 1[metadata]
 2creation_date = "2021/03/15"
 3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"]
 4maturity = "production"
 5min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 6min_stack_version = "8.14.0"
 7updated_date = "2025/01/15"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12A job can be used to schedule programs or scripts to be executed at a specified date and time. Adversaries may abuse
13task scheduling functionality to facilitate initial or recurring execution of malicious code.
14"""
15false_positives = ["Legitimate scheduled jobs may be created during installation of new software."]
16from = "now-9m"
17index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Persistence via Scheduled Job Creation"
21risk_score = 47
22rule_id = "1327384f-00f3-44d5-9a8c-2373ba071e92"
23severity = "medium"
24tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Resources: Investigation Guide"]
25timestamp_override = "event.ingested"
26type = "eql"
27
28query = '''
29file where host.os.type == "windows" and event.type != "deletion" and
30  file.path : "?:\\Windows\\Tasks\\*" and file.extension : "job" and
31  not (
32    (
33      process.executable : "?:\\Program Files\\CCleaner\\CCleaner64.exe" and
34      file.path : "?:\\Windows\\Tasks\\CCleanerCrashReporting.job"
35    ) or
36    (
37      process.executable : (
38        "?:\\Program Files (x86)\\ManageEngine\\UEMS_Agent\\bin\\dcagentregister.exe",
39        "?:\\Program Files (x86)\\DesktopCentral_Agent\\bin\\dcagentregister.exe"
40      ) and
41      file.path : "?:\\Windows\\Tasks\\DCAgentUpdater.job"
42    )
43  )
44'''
45note = """## Triage and analysis
46
47> **Disclaimer**:
48> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
49
50### Investigating Persistence via Scheduled Job Creation
51
52Scheduled jobs in Windows environments allow tasks to be automated by executing scripts or programs at specified times. Adversaries exploit this feature to maintain persistence by scheduling malicious code execution. The detection rule identifies suspicious job creation by monitoring specific file paths and extensions, excluding known legitimate processes, to flag potential abuse while minimizing false positives.
53
54### Possible investigation steps
55
56- Review the file path and extension to confirm the presence of a scheduled job in the "?:\\Windows\\Tasks\\" directory with a ".job" extension, which is indicative of a scheduled task.
57- Examine the process executable path to determine if the job creation is associated with any known legitimate processes, such as CCleaner or ManageEngine, which are excluded in the detection rule.
58- Investigate the origin of the process that created the scheduled job by checking the process execution history and command line arguments to identify any potentially malicious behavior.
59- Analyze the scheduled job's content and associated scripts or programs to identify any suspicious or unauthorized code that may indicate malicious intent.
60- Correlate the event with other security logs and alerts from data sources like Elastic Endgame, Sysmon, or Microsoft Defender for Endpoint to gather additional context and identify any related malicious activity.
61- Assess the risk and impact of the scheduled job by determining if it aligns with known adversary tactics, techniques, and procedures (TTPs) related to persistence, as outlined in the MITRE ATT&CK framework.
62
63### False positive analysis
64
65- Scheduled jobs created by CCleaner for crash reporting can trigger false positives. Exclude the path "?:\\Windows\\Tasks\\CCleanerCrashReporting.job" when the process executable is "?:\\Program Files\\CCleaner\\CCleaner64.exe".
66- ManageEngine UEMS Agent and DesktopCentral Agent may create scheduled jobs for updates, leading to false positives. Exclude the path "?:\\Windows\\Tasks\\DCAgentUpdater.job" when the process executable is "?:\\Program Files (x86)\\ManageEngine\\UEMS_Agent\\bin\\dcagentregister.exe" or "?:\\Program Files (x86)\\DesktopCentral_Agent\\bin\\dcagentregister.exe".
67- Regularly review and update exclusion lists to ensure they reflect the current environment and legitimate software behavior.
68- Consider implementing a whitelist of known legitimate processes and paths to further reduce false positives while maintaining effective threat detection.
69
70### Response and remediation
71
72- Immediately isolate the affected system from the network to prevent further execution of potentially malicious scheduled jobs and limit lateral movement.
73- Terminate any suspicious processes associated with the identified scheduled job, using tools like Task Manager or PowerShell, to halt any ongoing malicious activity.
74- Delete the suspicious scheduled job file from the system to prevent future execution. This can be done using the Task Scheduler or command-line tools.
75- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) solutions to identify and remove any additional malicious files or remnants.
76- Review and audit other scheduled tasks on the system to ensure no additional unauthorized or suspicious jobs are present.
77- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if other systems are affected.
78- Implement enhanced monitoring and alerting for scheduled job creation activities across the network to detect similar threats in the future, leveraging the specific query fields used in the detection rule."""
79
80
81[[rule.threat]]
82framework = "MITRE ATT&CK"
83[[rule.threat.technique]]
84id = "T1053"
85name = "Scheduled Task/Job"
86reference = "https://attack.mitre.org/techniques/T1053/"
87[[rule.threat.technique.subtechnique]]
88id = "T1053.005"
89name = "Scheduled Task"
90reference = "https://attack.mitre.org/techniques/T1053/005/"
91
92
93
94[rule.threat.tactic]
95id = "TA0003"
96name = "Persistence"
97reference = "https://attack.mitre.org/tactics/TA0003/"