Suspicious Execution via Scheduled Task

  1[metadata]
  2creation_date = "2020/11/19"
  3integration = ["endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = "Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage."
 12false_positives = ["Legitimate scheduled tasks running third party software."]
 13from = "now-9m"
 14index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Suspicious Execution via Scheduled Task"
 18references = [
 19    "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper",
 20]
 21risk_score = 47
 22rule_id = "5d1d6907-0747-4d5d-9b24-e4a18853dc0a"
 23setup = """## Setup
 24
 25If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
 26events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
 27Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
 28`event.ingested` to @timestamp.
 29For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
 30"""
 31severity = "medium"
 32tags = [
 33    "Domain: Endpoint",
 34    "OS: Windows",
 35    "Use Case: Threat Detection",
 36    "Tactic: Persistence",
 37    "Tactic: Execution",
 38    "Data Source: Elastic Defend",
 39    "Resources: Investigation Guide",
 40]
 41timestamp_override = "event.ingested"
 42type = "eql"
 43
 44query = '''
 45process where host.os.type == "windows" and event.type == "start" and
 46    /* Schedule service cmdline on Win10+ */
 47    process.parent.name : "svchost.exe" and process.parent.args : "Schedule" and
 48    /* add suspicious programs here */
 49    process.pe.original_file_name in
 50                                (
 51                                  "cscript.exe",
 52                                  "wscript.exe",
 53                                  "PowerShell.EXE",
 54                                  "Cmd.Exe",
 55                                  "MSHTA.EXE",
 56                                  "RUNDLL32.EXE",
 57                                  "REGSVR32.EXE",
 58                                  "MSBuild.exe",
 59                                  "InstallUtil.exe",
 60                                  "RegAsm.exe",
 61                                  "RegSvcs.exe",
 62                                  "msxsl.exe",
 63                                  "CONTROL.EXE",
 64                                  "EXPLORER.EXE",
 65                                  "Microsoft.Workflow.Compiler.exe",
 66                                  "msiexec.exe"
 67                                  ) and
 68    /* add suspicious paths here */
 69    process.args : (
 70       "C:\\Users\\*",
 71       "C:\\ProgramData\\*",
 72       "C:\\Windows\\Temp\\*",
 73       "C:\\Windows\\Tasks\\*",
 74       "C:\\PerfLogs\\*",
 75       "C:\\Intel\\*",
 76       "C:\\Windows\\Debug\\*",
 77       "C:\\HP\\*") and
 78
 79     not (process.name : "cmd.exe" and process.args : "?:\\*.bat" and process.working_directory : "?:\\Windows\\System32\\") and
 80     not (process.name : "cscript.exe" and process.args : "?:\\Windows\\system32\\calluxxprovider.vbs") and
 81     not (process.name : "powershell.exe" and process.args : ("-File", "-PSConsoleFile") and user.id : "S-1-5-18") and
 82     not (process.name : "msiexec.exe" and user.id : "S-1-5-18")
 83'''
 84note = """## Triage and analysis
 85
 86> **Disclaimer**:
 87> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 88
 89### Investigating Suspicious Execution via Scheduled Task
 90
 91Scheduled tasks in Windows automate routine tasks, but adversaries exploit them for persistence and execution of malicious programs. By examining process lineage and command line usage, the detection rule identifies suspicious executions initiated by scheduled tasks. It flags known malicious executables and unusual file paths, while excluding benign processes, to pinpoint potential threats effectively.
 92
 93### Possible investigation steps
 94
 95- Review the process lineage to confirm the parent process is "svchost.exe" with arguments containing "Schedule" to verify the execution was initiated by a scheduled task.
 96- Examine the command line arguments and file paths of the suspicious process to identify any unusual or unauthorized file locations, such as those listed in the query (e.g., "C:\\Users\\*", "C:\\ProgramData\\*").
 97- Check the original file name of the process against the list of known suspicious executables (e.g., "PowerShell.EXE", "Cmd.Exe") to determine if it matches any commonly abused binaries.
 98- Investigate the user context under which the process was executed, especially if it deviates from expected system accounts or known service accounts.
 99- Correlate the event with other security logs or alerts to identify any related suspicious activities or patterns that might indicate a broader attack campaign.
100- Assess the risk and impact of the detected activity by considering the severity and risk score provided, and determine if immediate containment or remediation actions are necessary.
101
102### False positive analysis
103
104- Scheduled tasks running legitimate scripts or executables like cmd.exe or cscript.exe in system directories may trigger false positives. To manage this, create exceptions for these processes when they are executed from known safe directories such as C:\\Windows\\System32.
105- PowerShell scripts executed by the system account (S-1-5-18) for administrative tasks can be mistakenly flagged. Exclude these by specifying exceptions for PowerShell executions with arguments like -File or -PSConsoleFile when run by the system account.
106- Legitimate software installations or updates using msiexec.exe by the system account may be incorrectly identified as threats. Mitigate this by excluding msiexec.exe processes initiated by the system account.
107- Regular maintenance tasks or scripts stored in common directories like C:\\ProgramData or C:\\Windows\\Temp might be flagged. Review these tasks and exclude known benign scripts or executables from these paths.
108- Custom scripts or administrative tools that mimic suspicious executables (e.g., PowerShell.EXE, RUNDLL32.EXE) but are part of routine operations should be reviewed and excluded if verified as safe.
109
110### Response and remediation
111
112- Immediately isolate the affected system from the network to prevent further spread of any potential malicious activity.
113- Terminate any suspicious processes identified by the detection rule, especially those matching the flagged executables and paths.
114- Conduct a thorough review of scheduled tasks on the affected system to identify and disable any unauthorized or suspicious tasks.
115- Remove any malicious files or executables found in the suspicious paths listed in the detection rule.
116- Restore the system from a known good backup if malicious activity is confirmed and system integrity is compromised.
117- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected.
118- Implement enhanced monitoring and logging for scheduled tasks and the flagged executables to detect similar threats in the future."""
119
120
121[[rule.threat]]
122framework = "MITRE ATT&CK"
123[[rule.threat.technique]]
124id = "T1053"
125name = "Scheduled Task/Job"
126reference = "https://attack.mitre.org/techniques/T1053/"
127[[rule.threat.technique.subtechnique]]
128id = "T1053.005"
129name = "Scheduled Task"
130reference = "https://attack.mitre.org/techniques/T1053/005/"
131
132
133
134[rule.threat.tactic]
135id = "TA0003"
136name = "Persistence"
137reference = "https://attack.mitre.org/tactics/TA0003/"
138[[rule.threat]]
139framework = "MITRE ATT&CK"
140[[rule.threat.technique]]
141id = "T1053"
142name = "Scheduled Task/Job"
143reference = "https://attack.mitre.org/techniques/T1053/"
144[[rule.threat.technique.subtechnique]]
145id = "T1053.005"
146name = "Scheduled Task"
147reference = "https://attack.mitre.org/techniques/T1053/005/"
148
149
150
151[rule.threat.tactic]
152id = "TA0002"
153name = "Execution"
154reference = "https://attack.mitre.org/tactics/TA0002/"