A scheduled task was updated
Indicates the update of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, by changing the configuration of a legit scheduled task. Some changes such as disabling or enabling a scheduled task are common and may may generate noise.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/08/29"
3integration = ["system", "windows"]
4maturity = "production"
5updated_date = "2024/10/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Indicates the update of a scheduled task using Windows event logs. Adversaries can use these to establish persistence,
13by changing the configuration of a legit scheduled task. Some changes such as disabling or enabling a scheduled task are
14common and may may generate noise.
15"""
16false_positives = ["Legitimate scheduled tasks may be created during installation of new software."]
17from = "now-9m"
18index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
19language = "eql"
20license = "Elastic License v2"
21name = "A scheduled task was updated"
22references = ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698"]
23risk_score = 47
24rule_id = "a02cb68e-7c93-48d1-93b2-2c39023308eb"
25severity = "medium"
26tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: System"]
27timestamp_override = "event.ingested"
28type = "eql"
29
30query = '''
31iam where event.action == "scheduled-task-updated" and
32
33 /* excluding tasks created by the computer account */
34 not user.name : "*$" and
35 not winlog.event_data.TaskName : "*Microsoft*" and
36 not winlog.event_data.TaskName :
37 ("\\User_Feed_Synchronization-*",
38 "\\OneDrive Reporting Task-S-1-5-21*",
39 "\\OneDrive Reporting Task-S-1-12-1-*",
40 "\\Hewlett-Packard\\HP Web Products Detection",
41 "\\Hewlett-Packard\\HPDeviceCheck",
42 "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant",
43 "\\IpamDnsProvisioning",
44 "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantAllUsersRun",
45 "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun",
46 "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun",
47 "\\Microsoft\\Windows\\.NET Framework\\.NET Framework NGEN v*",
48 "\\Microsoft\\VisualStudio\\Updates\\BackgroundDownload") and
49 not winlog.event_data.SubjectUserSid : ("S-1-5-18", "S-1-5-19", "S-1-5-20")
50'''
51
52
53[[rule.threat]]
54framework = "MITRE ATT&CK"
55[[rule.threat.technique]]
56id = "T1053"
57name = "Scheduled Task/Job"
58reference = "https://attack.mitre.org/techniques/T1053/"
59[[rule.threat.technique.subtechnique]]
60id = "T1053.005"
61name = "Scheduled Task"
62reference = "https://attack.mitre.org/techniques/T1053/005/"
63
64
65
66[rule.threat.tactic]
67id = "TA0003"
68name = "Persistence"
69reference = "https://attack.mitre.org/tactics/TA0003/"
References
Related rules
- A scheduled task was created
- Account Password Reset Remotely
- Active Directory Group Modification by SYSTEM
- Adding Hidden File Attribute via Attrib
- AdminSDHolder SDProp Exclusion Added