Suspicious Execution via Scheduled Task

 1[metadata]
 2creation_date = "2020/11/19"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = "Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage."
12false_positives = ["Legitimate scheduled tasks running third party software."]
13from = "now-9m"
14index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Suspicious Execution via Scheduled Task"
18note = """## Setup
19
20If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
21"""
22risk_score = 47
23rule_id = "5d1d6907-0747-4d5d-9b24-e4a18853dc0a"
24severity = "medium"
25tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"]
26timestamp_override = "event.ingested"
27type = "eql"
28
29query = '''
30process where host.os.type == "windows" and event.type == "start" and
31    /* Schedule service cmdline on Win10+ */
32    process.parent.name : "svchost.exe" and process.parent.args : "Schedule" and
33    /* add suspicious programs here */
34    process.pe.original_file_name in
35                                (
36                                  "cscript.exe",
37                                  "wscript.exe",
38                                  "PowerShell.EXE",
39                                  "Cmd.Exe",
40                                  "MSHTA.EXE",
41                                  "RUNDLL32.EXE",
42                                  "REGSVR32.EXE",
43                                  "MSBuild.exe",
44                                  "InstallUtil.exe",
45                                  "RegAsm.exe",
46                                  "RegSvcs.exe",
47                                  "msxsl.exe",
48                                  "CONTROL.EXE",
49                                  "EXPLORER.EXE",
50                                  "Microsoft.Workflow.Compiler.exe",
51                                  "msiexec.exe"
52                                  ) and
53    /* add suspicious paths here */
54    process.args : (
55       "C:\\Users\\*",
56       "C:\\ProgramData\\*",
57       "C:\\Windows\\Temp\\*",
58       "C:\\Windows\\Tasks\\*",
59       "C:\\PerfLogs\\*",
60       "C:\\Intel\\*",
61       "C:\\Windows\\Debug\\*",
62       "C:\\HP\\*") and
63
64     not (process.name : "cmd.exe" and process.args : "?:\\*.bat" and process.working_directory : "?:\\Windows\\System32\\") and
65     not (process.name : "cscript.exe" and process.args : "?:\\Windows\\system32\\calluxxprovider.vbs") and
66     not (process.name : "powershell.exe" and process.args : ("-File", "-PSConsoleFile") and user.id : "S-1-5-18") and
67     not (process.name : "msiexec.exe" and user.id : "S-1-5-18")
68'''
69
70
71[[rule.threat]]
72framework = "MITRE ATT&CK"
73[[rule.threat.technique]]
74id = "T1053"
75name = "Scheduled Task/Job"
76reference = "https://attack.mitre.org/techniques/T1053/"
77[[rule.threat.technique.subtechnique]]
78id = "T1053.005"
79name = "Scheduled Task"
80reference = "https://attack.mitre.org/techniques/T1053/005/"
81
82
83
84[rule.threat.tactic]
85id = "TA0003"
86name = "Persistence"
87reference = "https://attack.mitre.org/tactics/TA0003/"