Suspicious Execution via Scheduled Task

calendar Apr 1, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Persistence Tactic: Execution Data Source: Elastic Defend  ·
Share on: linkedin copy

Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2020/11/19"
  3integration = ["endpoint", "windows"]
  4maturity = "production"
  5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
  6min_stack_version = "8.3.0"
  7updated_date = "2024/03/28"
  8
  9[rule]
 10author = ["Elastic"]
 11description = "Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage."
 12false_positives = ["Legitimate scheduled tasks running third party software."]
 13from = "now-9m"
 14index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Suspicious Execution via Scheduled Task"
 18risk_score = 47
 19rule_id = "5d1d6907-0747-4d5d-9b24-e4a18853dc0a"
 20setup = """## Setup
 21
 22If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
 23events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
 24Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
 25`event.ingested` to @timestamp.
 26For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
 27"""
 28severity = "medium"
 29tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Defend"]
 30timestamp_override = "event.ingested"
 31type = "eql"
 32
 33query = '''
 34process where host.os.type == "windows" and event.type == "start" and
 35    /* Schedule service cmdline on Win10+ */
 36    process.parent.name : "svchost.exe" and process.parent.args : "Schedule" and
 37    /* add suspicious programs here */
 38    process.pe.original_file_name in
 39                                (
 40                                  "cscript.exe",
 41                                  "wscript.exe",
 42                                  "PowerShell.EXE",
 43                                  "Cmd.Exe",
 44                                  "MSHTA.EXE",
 45                                  "RUNDLL32.EXE",
 46                                  "REGSVR32.EXE",
 47                                  "MSBuild.exe",
 48                                  "InstallUtil.exe",
 49                                  "RegAsm.exe",
 50                                  "RegSvcs.exe",
 51                                  "msxsl.exe",
 52                                  "CONTROL.EXE",
 53                                  "EXPLORER.EXE",
 54                                  "Microsoft.Workflow.Compiler.exe",
 55                                  "msiexec.exe"
 56                                  ) and
 57    /* add suspicious paths here */
 58    process.args : (
 59       "C:\\Users\\*",
 60       "C:\\ProgramData\\*",
 61       "C:\\Windows\\Temp\\*",
 62       "C:\\Windows\\Tasks\\*",
 63       "C:\\PerfLogs\\*",
 64       "C:\\Intel\\*",
 65       "C:\\Windows\\Debug\\*",
 66       "C:\\HP\\*") and
 67
 68     not (process.name : "cmd.exe" and process.args : "?:\\*.bat" and process.working_directory : "?:\\Windows\\System32\\") and
 69     not (process.name : "cscript.exe" and process.args : "?:\\Windows\\system32\\calluxxprovider.vbs") and
 70     not (process.name : "powershell.exe" and process.args : ("-File", "-PSConsoleFile") and user.id : "S-1-5-18") and
 71     not (process.name : "msiexec.exe" and user.id : "S-1-5-18")
 72'''
 73
 74
 75[[rule.threat]]
 76framework = "MITRE ATT&CK"
 77[[rule.threat.technique]]
 78id = "T1053"
 79name = "Scheduled Task/Job"
 80reference = "https://attack.mitre.org/techniques/T1053/"
 81[[rule.threat.technique.subtechnique]]
 82id = "T1053.005"
 83name = "Scheduled Task"
 84reference = "https://attack.mitre.org/techniques/T1053/005/"
 85
 86
 87
 88[rule.threat.tactic]
 89id = "TA0003"
 90name = "Persistence"
 91reference = "https://attack.mitre.org/tactics/TA0003/"
 92
 93[[rule.threat]]
 94framework = "MITRE ATT&CK"
 95[[rule.threat.technique]]
 96id = "T1053"
 97name = "Scheduled Task/Job"
 98reference = "https://attack.mitre.org/techniques/T1053/"
 99[[rule.threat.technique.subtechnique]]
100id = "T1053.005"
101name = "Scheduled Task"
102reference = "https://attack.mitre.org/techniques/T1053/005/"
103
104
105[rule.threat.tactic]
106id = "TA0002"
107name = "Execution"
108reference = "https://attack.mitre.org/tactics/TA0002/"

Related rules

to-top