Suspicious Execution via Scheduled Task
Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/19"
3integration = ["endpoint", "windows"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = "Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage."
12false_positives = ["Legitimate scheduled tasks running third party software."]
13from = "now-9m"
14index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Suspicious Execution via Scheduled Task"
18note = """## Setup
19
20If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
21"""
22risk_score = 47
23rule_id = "5d1d6907-0747-4d5d-9b24-e4a18853dc0a"
24severity = "medium"
25tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"]
26timestamp_override = "event.ingested"
27type = "eql"
28
29query = '''
30process where host.os.type == "windows" and event.type == "start" and
31 /* Schedule service cmdline on Win10+ */
32 process.parent.name : "svchost.exe" and process.parent.args : "Schedule" and
33 /* add suspicious programs here */
34 process.pe.original_file_name in
35 (
36 "cscript.exe",
37 "wscript.exe",
38 "PowerShell.EXE",
39 "Cmd.Exe",
40 "MSHTA.EXE",
41 "RUNDLL32.EXE",
42 "REGSVR32.EXE",
43 "MSBuild.exe",
44 "InstallUtil.exe",
45 "RegAsm.exe",
46 "RegSvcs.exe",
47 "msxsl.exe",
48 "CONTROL.EXE",
49 "EXPLORER.EXE",
50 "Microsoft.Workflow.Compiler.exe",
51 "msiexec.exe"
52 ) and
53 /* add suspicious paths here */
54 process.args : (
55 "C:\\Users\\*",
56 "C:\\ProgramData\\*",
57 "C:\\Windows\\Temp\\*",
58 "C:\\Windows\\Tasks\\*",
59 "C:\\PerfLogs\\*",
60 "C:\\Intel\\*",
61 "C:\\Windows\\Debug\\*",
62 "C:\\HP\\*") and
63
64 not (process.name : "cmd.exe" and process.args : "?:\\*.bat" and process.working_directory : "?:\\Windows\\System32\\") and
65 not (process.name : "cscript.exe" and process.args : "?:\\Windows\\system32\\calluxxprovider.vbs") and
66 not (process.name : "powershell.exe" and process.args : ("-File", "-PSConsoleFile") and user.id : "S-1-5-18") and
67 not (process.name : "msiexec.exe" and user.id : "S-1-5-18")
68'''
69
70
71[[rule.threat]]
72framework = "MITRE ATT&CK"
73[[rule.threat.technique]]
74id = "T1053"
75name = "Scheduled Task/Job"
76reference = "https://attack.mitre.org/techniques/T1053/"
77[[rule.threat.technique.subtechnique]]
78id = "T1053.005"
79name = "Scheduled Task"
80reference = "https://attack.mitre.org/techniques/T1053/005/"
81
82
83
84[rule.threat.tactic]
85id = "TA0003"
86name = "Persistence"
87reference = "https://attack.mitre.org/tactics/TA0003/"
Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define event.ingested
and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate event.ingested
to @timestamp for this rule to work.
Related rules
- Adobe Hijack Persistence
- Component Object Model Hijacking
- Creation of a Hidden Local User Account
- Creation or Modification of a new GPO Scheduled Task or Service
- Execution of Persistent Suspicious Program