A scheduled task was updated

calendarMar 5, 2023  ·
Share on: linkedincopy

Indicates the update of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, by changing the configuration of a legit scheduled task. Some changes such as disabling or enabling a scheduled task are common and may may generate noise.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2022/08/29"
 3integration = ["system", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/02/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Indicates the update of a scheduled task using Windows event logs. Adversaries can use these to establish persistence,
13by changing the configuration of a legit scheduled task. Some changes such as disabling or enabling a scheduled task are
14common and may may generate noise.
15"""
16false_positives = ["Legitimate scheduled tasks may be created during installation of new software."]
17from = "now-9m"
18index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
19language = "eql"
20license = "Elastic License v2"
21name = "A scheduled task was updated"
22references = ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698"]
23risk_score = 21
24rule_id = "a02cb68e-7c93-48d1-93b2-2c39023308eb"
25severity = "low"
26tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"]
27timestamp_override = "event.ingested"
28type = "eql"
29
30query = '''
31iam where host.os.type == "windows" and event.action == "scheduled-task-updated" and
32
33 /* excluding tasks created by the computer account */
34 not user.name : "*$" and
35 not winlog.event_data.TaskName :
36          ("\\User_Feed_Synchronization-*",
37           "\\OneDrive Reporting Task-S-1-5-21*",
38           "\\OneDrive Reporting Task-S-1-12-1-*",
39           "\\Hewlett-Packard\\HP Web Products Detection",
40           "\\Hewlett-Packard\\HPDeviceCheck")
41'''
42
43
44[[rule.threat]]
45framework = "MITRE ATT&CK"
46[[rule.threat.technique]]
47id = "T1053"
48name = "Scheduled Task/Job"
49reference = "https://attack.mitre.org/techniques/T1053/"
50[[rule.threat.technique.subtechnique]]
51id = "T1053.005"
52name = "Scheduled Task"
53reference = "https://attack.mitre.org/techniques/T1053/005/"
54
55
56
57[rule.threat.tactic]
58id = "TA0003"
59name = "Persistence"
60reference = "https://attack.mitre.org/tactics/TA0003/"

to-top