Suspicious Execution via Scheduled Task
Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/19"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = "Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage."
10false_positives = ["Legitimate scheduled tasks running third party software."]
11from = "now-9m"
12index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*"]
13language = "eql"
14license = "Elastic License v2"
15name = "Suspicious Execution via Scheduled Task"
16risk_score = 47
17rule_id = "5d1d6907-0747-4d5d-9b24-e4a18853dc0a"
18setup = """## Setup
19
20If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
21events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
22Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
23`event.ingested` to @timestamp.
24For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
25"""
26severity = "medium"
27tags = [
28 "Domain: Endpoint",
29 "OS: Windows",
30 "Use Case: Threat Detection",
31 "Tactic: Persistence",
32 "Tactic: Execution",
33 "Data Source: Elastic Defend",
34]
35timestamp_override = "event.ingested"
36type = "eql"
37
38query = '''
39process where host.os.type == "windows" and event.type == "start" and
40 /* Schedule service cmdline on Win10+ */
41 process.parent.name : "svchost.exe" and process.parent.args : "Schedule" and
42 /* add suspicious programs here */
43 process.pe.original_file_name in
44 (
45 "cscript.exe",
46 "wscript.exe",
47 "PowerShell.EXE",
48 "Cmd.Exe",
49 "MSHTA.EXE",
50 "RUNDLL32.EXE",
51 "REGSVR32.EXE",
52 "MSBuild.exe",
53 "InstallUtil.exe",
54 "RegAsm.exe",
55 "RegSvcs.exe",
56 "msxsl.exe",
57 "CONTROL.EXE",
58 "EXPLORER.EXE",
59 "Microsoft.Workflow.Compiler.exe",
60 "msiexec.exe"
61 ) and
62 /* add suspicious paths here */
63 process.args : (
64 "C:\\Users\\*",
65 "C:\\ProgramData\\*",
66 "C:\\Windows\\Temp\\*",
67 "C:\\Windows\\Tasks\\*",
68 "C:\\PerfLogs\\*",
69 "C:\\Intel\\*",
70 "C:\\Windows\\Debug\\*",
71 "C:\\HP\\*") and
72
73 not (process.name : "cmd.exe" and process.args : "?:\\*.bat" and process.working_directory : "?:\\Windows\\System32\\") and
74 not (process.name : "cscript.exe" and process.args : "?:\\Windows\\system32\\calluxxprovider.vbs") and
75 not (process.name : "powershell.exe" and process.args : ("-File", "-PSConsoleFile") and user.id : "S-1-5-18") and
76 not (process.name : "msiexec.exe" and user.id : "S-1-5-18")
77'''
78
79
80[[rule.threat]]
81framework = "MITRE ATT&CK"
82[[rule.threat.technique]]
83id = "T1053"
84name = "Scheduled Task/Job"
85reference = "https://attack.mitre.org/techniques/T1053/"
86[[rule.threat.technique.subtechnique]]
87id = "T1053.005"
88name = "Scheduled Task"
89reference = "https://attack.mitre.org/techniques/T1053/005/"
90
91
92
93[rule.threat.tactic]
94id = "TA0003"
95name = "Persistence"
96reference = "https://attack.mitre.org/tactics/TA0003/"
97[[rule.threat]]
98framework = "MITRE ATT&CK"
99[[rule.threat.technique]]
100id = "T1053"
101name = "Scheduled Task/Job"
102reference = "https://attack.mitre.org/techniques/T1053/"
103[[rule.threat.technique.subtechnique]]
104id = "T1053.005"
105name = "Scheduled Task"
106reference = "https://attack.mitre.org/techniques/T1053/005/"
107
108
109
110[rule.threat.tactic]
111id = "TA0002"
112name = "Execution"
113reference = "https://attack.mitre.org/tactics/TA0002/"
Related rules
- New ActiveSyncAllowedDeviceID Added via PowerShell
- Persistence via Hidden Run Key Detected
- Persistence via WMI Event Subscription
- Scheduled Task Created by a Windows Script
- Suspicious Image Load (taskschd.dll) from MS Office