Scheduled Task Created by a Windows Script

  1[metadata]
  2creation_date = "2020/11/29"
  3integration = ["endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2026/05/04"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10A scheduled task was created by a Windows script via cscript.exe, wscript.exe or powershell.exe. This can be abused by
 11an adversary to establish persistence.
 12"""
 13false_positives = ["Legitimate scheduled tasks may be created during installation of new software."]
 14from = "now-9m"
 15index = [
 16    "winlogbeat-*",
 17    "logs-endpoint.events.registry-*",
 18    "logs-endpoint.events.library-*",
 19    "logs-windows.sysmon_operational-*",
 20    "endgame-*",
 21]
 22language = "eql"
 23license = "Elastic License v2"
 24name = "Scheduled Task Created by a Windows Script"
 25note = """## Triage and analysis
 26
 27Decode the base64 encoded Tasks Actions registry value to investigate the task's configured action."""
 28risk_score = 47
 29rule_id = "689b9d57-e4d5-4357-ad17-9c334609d79a"
 30severity = "medium"
 31tags = [
 32    "Domain: Endpoint",
 33    "OS: Windows",
 34    "Use Case: Threat Detection",
 35    "Tactic: Persistence",
 36    "Tactic: Execution",
 37    "Data Source: Elastic Endgame",
 38    "Data Source: Elastic Defend",
 39    "Data Source: Sysmon",
 40    "Resources: Investigation Guide",
 41]
 42type = "eql"
 43
 44query = '''
 45sequence by host.id with maxspan = 30s
 46  [any where host.os.type == "windows" and 
 47    (event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and
 48    (?dll.name : "taskschd.dll" or file.name : "taskschd.dll") and
 49    process.name : ("cscript.exe", "wscript.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe")]
 50  [registry where host.os.type == "windows" and event.type == "change" and registry.value : "Actions" and
 51    registry.path : (
 52      "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\\Actions",
 53      "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\\Actions"
 54  )]
 55'''
 56
 57setup = """## Setup
 58
 59This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
 60
 61Setup instructions: https://ela.st/install-elastic-defend
 62
 63### Additional data sources
 64
 65This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
 66
 67- [Sysmon Event ID 7 - Image Loaded](https://ela.st/sysmon-event-7-setup)
 68- [Sysmon Registry Events](https://ela.st/sysmon-event-reg-setup)
 69"""
 70
 71
 72[[rule.threat]]
 73framework = "MITRE ATT&CK"
 74[[rule.threat.technique]]
 75id = "T1053"
 76name = "Scheduled Task/Job"
 77reference = "https://attack.mitre.org/techniques/T1053/"
 78[[rule.threat.technique.subtechnique]]
 79id = "T1053.005"
 80name = "Scheduled Task"
 81reference = "https://attack.mitre.org/techniques/T1053/005/"
 82
 83
 84
 85[rule.threat.tactic]
 86id = "TA0003"
 87name = "Persistence"
 88reference = "https://attack.mitre.org/tactics/TA0003/"
 89[[rule.threat]]
 90framework = "MITRE ATT&CK"
 91[[rule.threat.technique]]
 92id = "T1059"
 93name = "Command and Scripting Interpreter"
 94reference = "https://attack.mitre.org/techniques/T1059/"
 95[[rule.threat.technique.subtechnique]]
 96id = "T1059.001"
 97name = "PowerShell"
 98reference = "https://attack.mitre.org/techniques/T1059/001/"
 99
100[[rule.threat.technique.subtechnique]]
101id = "T1059.005"
102name = "Visual Basic"
103reference = "https://attack.mitre.org/techniques/T1059/005/"
104
105
106
107[rule.threat.tactic]
108id = "TA0002"
109name = "Execution"
110reference = "https://attack.mitre.org/tactics/TA0002/"