A scheduled task was updated

  1[metadata]
  2creation_date = "2022/08/29"
  3integration = ["system", "windows"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Indicates the update of a scheduled task using Windows event logs. Adversaries can use these to establish persistence,
 11by changing the configuration of a legit scheduled task. Some changes such as disabling or enabling a scheduled task are
 12common and may may generate noise.
 13"""
 14false_positives = ["Legitimate scheduled tasks may be created during installation of new software."]
 15from = "now-9m"
 16index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "A scheduled task was updated"
 20note = """## Triage and analysis
 21
 22> **Disclaimer**:
 23> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 24
 25### Investigating A scheduled task was updated
 26
 27Scheduled tasks in Windows automate routine tasks, enhancing efficiency. However, adversaries exploit this by modifying tasks to maintain persistence, often altering legitimate tasks to evade detection. The detection rule identifies suspicious updates by filtering out benign changes, such as those by system accounts or known safe tasks, focusing on anomalies that suggest malicious intent.
 28
 29### Possible investigation steps
 30
 31- Review the event logs to identify the specific scheduled task that was updated, focusing on the winlog.event_data.TaskName field to determine if it matches any known malicious patterns.
 32- Investigate the user account associated with the update by examining the user.name field to ensure it is not a compromised account or an unauthorized user.
 33- Check the winlog.event_data.SubjectUserSid field to verify if the update was made by a system account or a potentially malicious user, as system accounts like S-1-5-18, S-1-5-19, and S-1-5-20 are typically benign.
 34- Analyze the history of changes to the scheduled task to identify any unusual or unauthorized modifications that could indicate persistence mechanisms.
 35- Correlate the scheduled task update with other security events or alerts to determine if it is part of a broader attack pattern or campaign.
 36
 37### False positive analysis
 38
 39- Scheduled tasks updated by system accounts can be false positives. Exclude updates made by system accounts by filtering out user names ending with a dollar sign.
 40- Legitimate Microsoft tasks often update automatically. Exclude tasks with names containing "Microsoft" to reduce noise from these updates.
 41- Commonly updated tasks like User Feed Synchronization and OneDrive Reporting are typically benign. Exclude these specific task names to avoid unnecessary alerts.
 42- Tasks updated by well-known service SIDs such as S-1-5-18, S-1-5-19, and S-1-5-20 are generally safe. Exclude these SIDs to prevent false positives from routine system operations.
 43
 44### Response and remediation
 45
 46- Immediately isolate the affected system from the network to prevent further malicious activity and lateral movement.
 47- Review the specific scheduled task that was updated to determine if it was altered by an unauthorized user or process. Revert any unauthorized changes to their original state.
 48- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any malicious software that may have been introduced.
 49- Analyze the user account that made the changes to the scheduled task. If the account is compromised, reset the password and review recent activities for further signs of compromise.
 50- Implement additional monitoring on the affected system and similar systems to detect any further unauthorized scheduled task updates or related suspicious activities.
 51- Escalate the incident to the security operations team for further investigation and to determine if the threat is part of a larger attack campaign.
 52- Review and update access controls and permissions related to scheduled tasks to ensure only authorized personnel can make changes, reducing the risk of future unauthorized modifications."""
 53references = ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698"]
 54risk_score = 47
 55rule_id = "a02cb68e-7c93-48d1-93b2-2c39023308eb"
 56severity = "medium"
 57tags = [
 58    "Domain: Endpoint",
 59    "OS: Windows",
 60    "Use Case: Threat Detection",
 61    "Tactic: Persistence",
 62    "Data Source: Windows Security Event Logs",
 63    "Resources: Investigation Guide",
 64]
 65timestamp_override = "event.ingested"
 66type = "eql"
 67
 68query = '''
 69iam where event.action == "scheduled-task-updated" and
 70
 71 /* excluding tasks created by the computer account */
 72 not user.name : "*$" and
 73 not winlog.event_data.TaskName : "*Microsoft*" and
 74 not winlog.event_data.TaskName :
 75          ("\\User_Feed_Synchronization-*",
 76           "\\OneDrive Reporting Task-S-1-5-21*",
 77           "\\OneDrive Reporting Task-S-1-12-1-*",
 78           "\\Hewlett-Packard\\HP Web Products Detection",
 79           "\\Hewlett-Packard\\HPDeviceCheck",
 80           "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant",
 81           "\\IpamDnsProvisioning",
 82           "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantAllUsersRun",
 83           "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun",
 84           "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun",
 85           "\\Microsoft\\Windows\\.NET Framework\\.NET Framework NGEN v*",
 86           "\\Microsoft\\VisualStudio\\Updates\\BackgroundDownload") and
 87  not winlog.event_data.SubjectUserSid :  ("S-1-5-18", "S-1-5-19", "S-1-5-20")
 88'''
 89
 90
 91[[rule.threat]]
 92framework = "MITRE ATT&CK"
 93[[rule.threat.technique]]
 94id = "T1053"
 95name = "Scheduled Task/Job"
 96reference = "https://attack.mitre.org/techniques/T1053/"
 97[[rule.threat.technique.subtechnique]]
 98id = "T1053.005"
 99name = "Scheduled Task"
100reference = "https://attack.mitre.org/techniques/T1053/005/"
101
102
103
104[rule.threat.tactic]
105id = "TA0003"
106name = "Persistence"
107reference = "https://attack.mitre.org/tactics/TA0003/"