A scheduled task was updated
Indicates the update of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, by changing the configuration of a legit scheduled task. Some changes such as disabling or enabling a scheduled task are common and may may generate noise.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/08/29"
3integration = ["system", "windows"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9
10[rule]
11author = ["Elastic"]
12description = """
13Indicates the update of a scheduled task using Windows event logs. Adversaries can use these to establish persistence,
14by changing the configuration of a legit scheduled task. Some changes such as disabling or enabling a scheduled task are
15common and may may generate noise.
16"""
17false_positives = ["Legitimate scheduled tasks may be created during installation of new software."]
18from = "now-9m"
19index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
20language = "eql"
21license = "Elastic License v2"
22name = "A scheduled task was updated"
23references = ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698"]
24risk_score = 47
25rule_id = "a02cb68e-7c93-48d1-93b2-2c39023308eb"
26severity = "medium"
27tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence"]
28timestamp_override = "event.ingested"
29type = "eql"
30
31query = '''
32iam where event.action == "scheduled-task-updated" and
33
34 /* excluding tasks created by the computer account */
35 not user.name : "*$" and
36 not winlog.event_data.TaskName : "*Microsoft*" and
37 not winlog.event_data.TaskName :
38 ("\\User_Feed_Synchronization-*",
39 "\\OneDrive Reporting Task-S-1-5-21*",
40 "\\OneDrive Reporting Task-S-1-12-1-*",
41 "\\Hewlett-Packard\\HP Web Products Detection",
42 "\\Hewlett-Packard\\HPDeviceCheck",
43 "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant",
44 "\\IpamDnsProvisioning",
45 "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantAllUsersRun",
46 "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun",
47 "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun",
48 "\\Microsoft\\Windows\\.NET Framework\\.NET Framework NGEN v*",
49 "\\Microsoft\\VisualStudio\\Updates\\BackgroundDownload") and
50 not winlog.event_data.SubjectUserSid : ("S-1-5-18", "S-1-5-19", "S-1-5-20")
51'''
52
53
54[[rule.threat]]
55framework = "MITRE ATT&CK"
56[[rule.threat.technique]]
57id = "T1053"
58name = "Scheduled Task/Job"
59reference = "https://attack.mitre.org/techniques/T1053/"
60[[rule.threat.technique.subtechnique]]
61id = "T1053.005"
62name = "Scheduled Task"
63reference = "https://attack.mitre.org/techniques/T1053/005/"
64
65
66
67[rule.threat.tactic]
68id = "TA0003"
69name = "Persistence"
70reference = "https://attack.mitre.org/tactics/TA0003/"
References
Related rules
- Remote Windows Service Installed
- Windows User Account Creation
- Service Creation via Local Kerberos Authentication
- SSH Authorized Keys File Modified Inside a Container
- SSH Process Launched From Inside A Container