A scheduled task was updated
Indicates the update of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, by changing the configuration of a legit scheduled task. Some changes such as disabling or enabling a scheduled task are common and may may generate noise.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/08/29"
3integration = ["system", "windows"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Indicates the update of a scheduled task using Windows event logs. Adversaries can use these to establish persistence,
11by changing the configuration of a legit scheduled task. Some changes such as disabling or enabling a scheduled task are
12common and may may generate noise.
13"""
14false_positives = ["Legitimate scheduled tasks may be created during installation of new software."]
15from = "now-9m"
16index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "A scheduled task was updated"
20references = ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698"]
21risk_score = 47
22rule_id = "a02cb68e-7c93-48d1-93b2-2c39023308eb"
23severity = "medium"
24tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence"]
25timestamp_override = "event.ingested"
26type = "eql"
27
28query = '''
29iam where event.action == "scheduled-task-updated" and
30
31 /* excluding tasks created by the computer account */
32 not user.name : "*$" and
33 not winlog.event_data.TaskName : "*Microsoft*" and
34 not winlog.event_data.TaskName :
35 ("\\User_Feed_Synchronization-*",
36 "\\OneDrive Reporting Task-S-1-5-21*",
37 "\\OneDrive Reporting Task-S-1-12-1-*",
38 "\\Hewlett-Packard\\HP Web Products Detection",
39 "\\Hewlett-Packard\\HPDeviceCheck",
40 "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant",
41 "\\IpamDnsProvisioning",
42 "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantAllUsersRun",
43 "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun",
44 "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun",
45 "\\Microsoft\\Windows\\.NET Framework\\.NET Framework NGEN v*",
46 "\\Microsoft\\VisualStudio\\Updates\\BackgroundDownload") and
47 not winlog.event_data.SubjectUserSid : ("S-1-5-18", "S-1-5-19", "S-1-5-20")
48'''
49
50
51[[rule.threat]]
52framework = "MITRE ATT&CK"
53[[rule.threat.technique]]
54id = "T1053"
55name = "Scheduled Task/Job"
56reference = "https://attack.mitre.org/techniques/T1053/"
57[[rule.threat.technique.subtechnique]]
58id = "T1053.005"
59name = "Scheduled Task"
60reference = "https://attack.mitre.org/techniques/T1053/005/"
61
62
63
64[rule.threat.tactic]
65id = "TA0003"
66name = "Persistence"
67reference = "https://attack.mitre.org/tactics/TA0003/"
References
Related rules
- A scheduled task was created
- Account Configured with Never-Expiring Password
- Account Password Reset Remotely
- Adding Hidden File Attribute via Attrib
- Browser Extension Install