Suspicious Execution via Scheduled Task
Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/19"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2024/10/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = "Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage."
12false_positives = ["Legitimate scheduled tasks running third party software."]
13from = "now-9m"
14index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Suspicious Execution via Scheduled Task"
18references = [
19 "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper",
20]
21risk_score = 47
22rule_id = "5d1d6907-0747-4d5d-9b24-e4a18853dc0a"
23setup = """## Setup
24
25If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
26events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
27Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
28`event.ingested` to @timestamp.
29For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
30"""
31severity = "medium"
32tags = [
33 "Domain: Endpoint",
34 "OS: Windows",
35 "Use Case: Threat Detection",
36 "Tactic: Persistence",
37 "Tactic: Execution",
38 "Data Source: Elastic Defend",
39]
40timestamp_override = "event.ingested"
41type = "eql"
42
43query = '''
44process where host.os.type == "windows" and event.type == "start" and
45 /* Schedule service cmdline on Win10+ */
46 process.parent.name : "svchost.exe" and process.parent.args : "Schedule" and
47 /* add suspicious programs here */
48 process.pe.original_file_name in
49 (
50 "cscript.exe",
51 "wscript.exe",
52 "PowerShell.EXE",
53 "Cmd.Exe",
54 "MSHTA.EXE",
55 "RUNDLL32.EXE",
56 "REGSVR32.EXE",
57 "MSBuild.exe",
58 "InstallUtil.exe",
59 "RegAsm.exe",
60 "RegSvcs.exe",
61 "msxsl.exe",
62 "CONTROL.EXE",
63 "EXPLORER.EXE",
64 "Microsoft.Workflow.Compiler.exe",
65 "msiexec.exe"
66 ) and
67 /* add suspicious paths here */
68 process.args : (
69 "C:\\Users\\*",
70 "C:\\ProgramData\\*",
71 "C:\\Windows\\Temp\\*",
72 "C:\\Windows\\Tasks\\*",
73 "C:\\PerfLogs\\*",
74 "C:\\Intel\\*",
75 "C:\\Windows\\Debug\\*",
76 "C:\\HP\\*") and
77
78 not (process.name : "cmd.exe" and process.args : "?:\\*.bat" and process.working_directory : "?:\\Windows\\System32\\") and
79 not (process.name : "cscript.exe" and process.args : "?:\\Windows\\system32\\calluxxprovider.vbs") and
80 not (process.name : "powershell.exe" and process.args : ("-File", "-PSConsoleFile") and user.id : "S-1-5-18") and
81 not (process.name : "msiexec.exe" and user.id : "S-1-5-18")
82'''
83
84
85[[rule.threat]]
86framework = "MITRE ATT&CK"
87[[rule.threat.technique]]
88id = "T1053"
89name = "Scheduled Task/Job"
90reference = "https://attack.mitre.org/techniques/T1053/"
91[[rule.threat.technique.subtechnique]]
92id = "T1053.005"
93name = "Scheduled Task"
94reference = "https://attack.mitre.org/techniques/T1053/005/"
95
96
97
98[rule.threat.tactic]
99id = "TA0003"
100name = "Persistence"
101reference = "https://attack.mitre.org/tactics/TA0003/"
102[[rule.threat]]
103framework = "MITRE ATT&CK"
104[[rule.threat.technique]]
105id = "T1053"
106name = "Scheduled Task/Job"
107reference = "https://attack.mitre.org/techniques/T1053/"
108[[rule.threat.technique.subtechnique]]
109id = "T1053.005"
110name = "Scheduled Task"
111reference = "https://attack.mitre.org/techniques/T1053/005/"
112
113
114
115[rule.threat.tactic]
116id = "TA0002"
117name = "Execution"
118reference = "https://attack.mitre.org/tactics/TA0002/"
References
Related rules
- Persistence via Hidden Run Key Detected
- Scheduled Task Created by a Windows Script
- Suspicious Image Load (taskschd.dll) from MS Office
- Unsigned DLL Loaded by Svchost
- Adobe Hijack Persistence