Suspicious Execution via Scheduled Task

  1[metadata]
  2creation_date = "2020/11/19"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/04/07"
  6
  7[rule]
  8author = ["Elastic"]
  9description = "Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage."
 10false_positives = ["Legitimate scheduled tasks running third party software."]
 11from = "now-9m"
 12index = ["logs-endpoint.events.process-*"]
 13language = "eql"
 14license = "Elastic License v2"
 15name = "Suspicious Execution via Scheduled Task"
 16note = """## Triage and analysis
 17
 18> **Disclaimer**:
 19> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 20
 21### Investigating Suspicious Execution via Scheduled Task
 22
 23Scheduled tasks in Windows automate routine tasks, but adversaries exploit them for persistence and execution of malicious programs. By examining process lineage and command line usage, the detection rule identifies suspicious executions initiated by scheduled tasks. It flags known malicious executables and unusual file paths, while excluding benign processes, to pinpoint potential threats effectively.
 24
 25### Possible investigation steps
 26
 27- Review the process lineage to confirm the parent process is "svchost.exe" with arguments containing "Schedule" to verify the execution was initiated by a scheduled task.
 28- Examine the command line arguments and file paths of the suspicious process to identify any unusual or unauthorized file locations, such as those listed in the query (e.g., "C:\\Users\\*", "C:\\ProgramData\\*").
 29- Check the original file name of the process against the list of known suspicious executables (e.g., "PowerShell.EXE", "Cmd.Exe") to determine if it matches any commonly abused binaries.
 30- Investigate the user context under which the process was executed, especially if it deviates from expected system accounts or known service accounts.
 31- Correlate the event with other security logs or alerts to identify any related suspicious activities or patterns that might indicate a broader attack campaign.
 32- Assess the risk and impact of the detected activity by considering the severity and risk score provided, and determine if immediate containment or remediation actions are necessary.
 33
 34### False positive analysis
 35
 36- Scheduled tasks running legitimate scripts or executables like cmd.exe or cscript.exe in system directories may trigger false positives. To manage this, create exceptions for these processes when they are executed from known safe directories such as C:\\Windows\\System32.
 37- PowerShell scripts executed by the system account (S-1-5-18) for administrative tasks can be mistakenly flagged. Exclude these by specifying exceptions for PowerShell executions with arguments like -File or -PSConsoleFile when run by the system account.
 38- Legitimate software installations or updates using msiexec.exe by the system account may be incorrectly identified as threats. Mitigate this by excluding msiexec.exe processes initiated by the system account.
 39- Regular maintenance tasks or scripts stored in common directories like C:\\ProgramData or C:\\Windows\\Temp might be flagged. Review these tasks and exclude known benign scripts or executables from these paths.
 40- Custom scripts or administrative tools that mimic suspicious executables (e.g., PowerShell.EXE, RUNDLL32.EXE) but are part of routine operations should be reviewed and excluded if verified as safe.
 41
 42### Response and remediation
 43
 44- Immediately isolate the affected system from the network to prevent further spread of any potential malicious activity.
 45- Terminate any suspicious processes identified by the detection rule, especially those matching the flagged executables and paths.
 46- Conduct a thorough review of scheduled tasks on the affected system to identify and disable any unauthorized or suspicious tasks.
 47- Remove any malicious files or executables found in the suspicious paths listed in the detection rule.
 48- Restore the system from a known good backup if malicious activity is confirmed and system integrity is compromised.
 49- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected.
 50- Implement enhanced monitoring and logging for scheduled tasks and the flagged executables to detect similar threats in the future."""
 51references = [
 52    "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper",
 53]
 54risk_score = 47
 55rule_id = "5d1d6907-0747-4d5d-9b24-e4a18853dc0a"
 56severity = "medium"
 57tags = [
 58    "Domain: Endpoint",
 59    "OS: Windows",
 60    "Use Case: Threat Detection",
 61    "Tactic: Persistence",
 62    "Tactic: Execution",
 63    "Data Source: Elastic Defend",
 64    "Resources: Investigation Guide",
 65]
 66timestamp_override = "event.ingested"
 67type = "eql"
 68
 69query = '''
 70process where host.os.type == "windows" and event.type == "start" and
 71    /* Schedule service cmdline on Win10+ */
 72    process.parent.name : "svchost.exe" and process.parent.args : "Schedule" and
 73    /* add suspicious programs here */
 74    process.pe.original_file_name in
 75                                (
 76                                  "cscript.exe",
 77                                  "wscript.exe",
 78                                  "PowerShell.EXE",
 79                                  "Cmd.Exe",
 80                                  "MSHTA.EXE",
 81                                  "RUNDLL32.EXE",
 82                                  "REGSVR32.EXE",
 83                                  "MSBuild.exe",
 84                                  "InstallUtil.exe",
 85                                  "RegAsm.exe",
 86                                  "RegSvcs.exe",
 87                                  "msxsl.exe",
 88                                  "CONTROL.EXE",
 89                                  "EXPLORER.EXE",
 90                                  "Microsoft.Workflow.Compiler.exe",
 91                                  "msiexec.exe"
 92                                  ) and
 93    /* add suspicious paths here */
 94    process.args : (
 95       "C:\\Users\\*",
 96       "C:\\ProgramData\\*",
 97       "C:\\Windows\\Temp\\*",
 98       "C:\\Windows\\Tasks\\*",
 99       "C:\\PerfLogs\\*",
100       "C:\\Intel\\*",
101       "C:\\Windows\\Debug\\*",
102       "C:\\HP\\*") and
103
104    not (process.name : "cmd.exe" and process.args : "?:\\*.bat" and process.working_directory : "?:\\Windows\\System32\\") and
105    not (process.name : "cscript.exe" and process.args : "?:\\Windows\\system32\\calluxxprovider.vbs") and
106    not (
107       process.name : "powershell.exe" and
108       process.args : (
109           "-File", "-PSConsoleFile",
110           "C:\\ProgramData\\Microsoft\\AutopatchSetupScheduled\\SetupAutopatchClientV2Package.ps1",
111           "C:\\ProgramData\\Microsoft\\AutopatchSetupScheduled\\SetupAutopatchClientPackage.ps1"                
112       ) and user.id : "S-1-5-18"
113    ) and
114    not (process.name : "msiexec.exe" and user.id : "S-1-5-18")
115'''
116
117
118[[rule.threat]]
119framework = "MITRE ATT&CK"
120[[rule.threat.technique]]
121id = "T1053"
122name = "Scheduled Task/Job"
123reference = "https://attack.mitre.org/techniques/T1053/"
124[[rule.threat.technique.subtechnique]]
125id = "T1053.005"
126name = "Scheduled Task"
127reference = "https://attack.mitre.org/techniques/T1053/005/"
128
129
130
131[rule.threat.tactic]
132id = "TA0003"
133name = "Persistence"
134reference = "https://attack.mitre.org/tactics/TA0003/"
135[[rule.threat]]
136framework = "MITRE ATT&CK"
137[[rule.threat.technique]]
138id = "T1053"
139name = "Scheduled Task/Job"
140reference = "https://attack.mitre.org/techniques/T1053/"
141[[rule.threat.technique.subtechnique]]
142id = "T1053.005"
143name = "Scheduled Task"
144reference = "https://attack.mitre.org/techniques/T1053/005/"
145
146
147
148[rule.threat.tactic]
149id = "TA0002"
150name = "Execution"
151reference = "https://attack.mitre.org/tactics/TA0002/"