Suspicious Execution via Scheduled Task

calendar Oct 15, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Persistence Tactic: Execution Data Source: Elastic Defend  ·
Share on: linkedin copy

Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2020/11/19"
  3integration = ["endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2024/10/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = "Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage."
 12false_positives = ["Legitimate scheduled tasks running third party software."]
 13from = "now-9m"
 14index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Suspicious Execution via Scheduled Task"
 18references = [
 19    "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper",
 20]
 21risk_score = 47
 22rule_id = "5d1d6907-0747-4d5d-9b24-e4a18853dc0a"
 23setup = """## Setup
 24
 25If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
 26events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
 27Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
 28`event.ingested` to @timestamp.
 29For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
 30"""
 31severity = "medium"
 32tags = [
 33    "Domain: Endpoint",
 34    "OS: Windows",
 35    "Use Case: Threat Detection",
 36    "Tactic: Persistence",
 37    "Tactic: Execution",
 38    "Data Source: Elastic Defend",
 39]
 40timestamp_override = "event.ingested"
 41type = "eql"
 42
 43query = '''
 44process where host.os.type == "windows" and event.type == "start" and
 45    /* Schedule service cmdline on Win10+ */
 46    process.parent.name : "svchost.exe" and process.parent.args : "Schedule" and
 47    /* add suspicious programs here */
 48    process.pe.original_file_name in
 49                                (
 50                                  "cscript.exe",
 51                                  "wscript.exe",
 52                                  "PowerShell.EXE",
 53                                  "Cmd.Exe",
 54                                  "MSHTA.EXE",
 55                                  "RUNDLL32.EXE",
 56                                  "REGSVR32.EXE",
 57                                  "MSBuild.exe",
 58                                  "InstallUtil.exe",
 59                                  "RegAsm.exe",
 60                                  "RegSvcs.exe",
 61                                  "msxsl.exe",
 62                                  "CONTROL.EXE",
 63                                  "EXPLORER.EXE",
 64                                  "Microsoft.Workflow.Compiler.exe",
 65                                  "msiexec.exe"
 66                                  ) and
 67    /* add suspicious paths here */
 68    process.args : (
 69       "C:\\Users\\*",
 70       "C:\\ProgramData\\*",
 71       "C:\\Windows\\Temp\\*",
 72       "C:\\Windows\\Tasks\\*",
 73       "C:\\PerfLogs\\*",
 74       "C:\\Intel\\*",
 75       "C:\\Windows\\Debug\\*",
 76       "C:\\HP\\*") and
 77
 78     not (process.name : "cmd.exe" and process.args : "?:\\*.bat" and process.working_directory : "?:\\Windows\\System32\\") and
 79     not (process.name : "cscript.exe" and process.args : "?:\\Windows\\system32\\calluxxprovider.vbs") and
 80     not (process.name : "powershell.exe" and process.args : ("-File", "-PSConsoleFile") and user.id : "S-1-5-18") and
 81     not (process.name : "msiexec.exe" and user.id : "S-1-5-18")
 82'''
 83
 84
 85[[rule.threat]]
 86framework = "MITRE ATT&CK"
 87[[rule.threat.technique]]
 88id = "T1053"
 89name = "Scheduled Task/Job"
 90reference = "https://attack.mitre.org/techniques/T1053/"
 91[[rule.threat.technique.subtechnique]]
 92id = "T1053.005"
 93name = "Scheduled Task"
 94reference = "https://attack.mitre.org/techniques/T1053/005/"
 95
 96
 97
 98[rule.threat.tactic]
 99id = "TA0003"
100name = "Persistence"
101reference = "https://attack.mitre.org/tactics/TA0003/"
102[[rule.threat]]
103framework = "MITRE ATT&CK"
104[[rule.threat.technique]]
105id = "T1053"
106name = "Scheduled Task/Job"
107reference = "https://attack.mitre.org/techniques/T1053/"
108[[rule.threat.technique.subtechnique]]
109id = "T1053.005"
110name = "Scheduled Task"
111reference = "https://attack.mitre.org/techniques/T1053/005/"
112
113
114
115[rule.threat.tactic]
116id = "TA0002"
117name = "Execution"
118reference = "https://attack.mitre.org/tactics/TA0002/"

References

Related rules

to-top