Unusual Scheduled Task Update

 1[metadata]
 2creation_date = "2022/08/29"
 3integration = ["system", "windows"]
 4maturity = "production"
 5updated_date = "2025/07/07"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies first-time modifications to scheduled tasks by user accounts, excluding system activity and machine accounts.
11"""
12false_positives = ["Legitimate scheduled tasks may be created during installation of new software."]
13from = "now-9m"
14index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
15language = "kuery"
16license = "Elastic License v2"
17name = "Unusual Scheduled Task Update"
18note = """ ## Triage and analysis
19
20> **Disclaimer**:
21> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
22
23### Investigating Unusual Scheduled Task Update
24
25Scheduled tasks in Windows environments automate routine tasks, but adversaries can exploit them for persistence by modifying tasks to execute malicious code. The detection rule identifies first-time task modifications by non-system users, flagging potential unauthorized changes. By excluding known system accounts, it focuses on suspicious user activity, aiding in early threat detection.
26
27### Possible investigation steps
28
29- Review the event logs for event code 4702 to identify the specific scheduled task that was modified and the user account responsible for the change.
30- Investigate the user account involved in the modification to determine if it is a legitimate user or potentially compromised. Check for any recent unusual activity associated with this account.
31- Examine the details of the modified scheduled task, including the command or script it is set to execute, to assess if it is potentially malicious or unauthorized.
32- Cross-reference the scheduled task's modification time with other security events or logs to identify any correlated suspicious activities or anomalies.
33- Check the history of the scheduled task to determine if this is the first modification or if there have been previous changes that might indicate a pattern of unauthorized access.
34
35### False positive analysis
36
37- Scheduled task modifications by IT administrators performing routine maintenance can trigger alerts. To manage this, create exceptions for known administrator accounts that regularly update tasks.
38- Software updates or installations by trusted applications may modify scheduled tasks. Identify these applications and exclude their associated user accounts or processes from the rule.
39- Automated scripts or management tools that modify tasks as part of their normal operation can be mistaken for suspicious activity. Document these tools and exclude their activity from detection.
40- Temporary user accounts used for specific projects or tasks might modify scheduled tasks. If these accounts are verified and trusted, consider excluding them from the rule during their active period.
41
42### Response and remediation
43
44- Immediately isolate the affected system from the network to prevent further unauthorized scheduled task modifications or potential lateral movement by the adversary.
45- Terminate any suspicious processes associated with the modified scheduled task to halt any ongoing malicious activity.
46- Review the modified scheduled task details, including the command or script being executed, and remove or disable any malicious components identified.
47- Reset the credentials of the user account involved in the modification to prevent further unauthorized access, and investigate for any signs of credential compromise.
48- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malware or persistence mechanisms.
49- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat has spread to other systems.
50- Implement additional monitoring and alerting for scheduled task modifications across the environment to enhance detection of similar threats in the future.
51"""
52references = ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698"]
53risk_score = 21
54rule_id = "a02cb68e-7c93-48d1-93b2-2c39023308eb"
55severity = "low"
56tags = [
57    "Domain: Endpoint",
58    "OS: Windows",
59    "Use Case: Threat Detection",
60    "Tactic: Persistence",
61    "Data Source: Windows Security Event Logs",
62    "Resources: Investigation Guide",
63]
64timestamp_override = "event.ingested"
65type = "new_terms"
66
67query = '''
68event.category: "iam" and event.code: "4702" and
69  not winlog.event_data.SubjectUserSid: ("S-1-5-18" or "S-1-5-19" or "S-1-5-20") and
70  not user.name : *$
71'''
72
73
74[[rule.threat]]
75framework = "MITRE ATT&CK"
76[[rule.threat.technique]]
77id = "T1053"
78name = "Scheduled Task/Job"
79reference = "https://attack.mitre.org/techniques/T1053/"
80[[rule.threat.technique.subtechnique]]
81id = "T1053.005"
82name = "Scheduled Task"
83reference = "https://attack.mitre.org/techniques/T1053/005/"
84
85
86
87[rule.threat.tactic]
88id = "TA0003"
89name = "Persistence"
90reference = "https://attack.mitre.org/tactics/TA0003/"
91
92[rule.new_terms]
93field = "new_terms_fields"
94value = ["host.id", "winlog.event_data.TaskName"]
95
96[[rule.new_terms.history_window_start]]
97field = "history_window_start"
98value = "now-14d"