Temporarily Scheduled Task Creation

Indicates the creation and deletion of a scheduled task within a short time interval. Adversaries can use these to proxy malicious execution via the schedule service and perform clean up.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2022/08/29"
  3integration = ["system", "windows"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Indicates the creation and deletion of a scheduled task within a short time interval. Adversaries can use these to proxy
 13malicious execution via the schedule service and perform clean up.
 14"""
 15false_positives = ["Legitimate scheduled tasks may be created during installation of new software."]
 16from = "now-9m"
 17index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
 18language = "eql"
 19license = "Elastic License v2"
 20name = "Temporarily Scheduled Task Creation"
 21references = ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698"]
 22risk_score = 47
 23rule_id = "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe"
 24severity = "medium"
 25tags = [
 26    "Domain: Endpoint",
 27    "OS: Windows",
 28    "Use Case: Threat Detection",
 29    "Tactic: Persistence",
 30    "Tactic: Execution",
 31    "Data Source: System",
 32    "Resources: Investigation Guide",
 33]
 34type = "eql"
 35
 36query = '''
 37sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m
 38   [iam where event.action == "scheduled-task-created" and not user.name : "*$"]
 39   [iam where event.action == "scheduled-task-deleted" and not user.name : "*$"]
 40'''
 41note = """## Triage and analysis
 42
 43> **Disclaimer**:
 44> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 45
 46### Investigating Temporarily Scheduled Task Creation
 47
 48Scheduled tasks in Windows environments automate routine tasks, but adversaries exploit them for persistence and execution by creating and quickly deleting tasks to mask malicious activity. The detection rule identifies such behavior by tracking task creation and deletion within a short timeframe, flagging potential misuse when these actions occur in rapid succession without typical user patterns.
 49
 50### Possible investigation steps
 51
 52- Review the winlog.computer_name field to identify the affected system and determine if it is a critical asset or part of a sensitive network segment.
 53- Examine the winlog.event_data.TaskName to understand the nature of the task created and deleted, and assess if it aligns with known legitimate tasks or appears suspicious.
 54- Investigate the user.name associated with the task creation and deletion events to determine if the activity was performed by a legitimate user or potentially compromised account.
 55- Check for any related events or logs around the same timeframe on the affected system to identify any additional suspicious activities or anomalies.
 56- Correlate the task creation and deletion events with other security alerts or incidents to determine if this activity is part of a broader attack campaign or isolated incident.
 57
 58### False positive analysis
 59
 60- Routine administrative tasks may trigger the rule if system administrators frequently create and delete scheduled tasks for maintenance purposes. To manage this, create exceptions for known administrative accounts or specific task names that are part of regular operations.
 61- Automated scripts or software updates that temporarily create scheduled tasks can also cause false positives. Identify these scripts or update processes and exclude their associated user accounts or task names from the detection rule.
 62- Some legitimate applications may use scheduled tasks for temporary operations. Review application documentation to confirm such behavior and exclude these applications by their task names or associated user accounts.
 63- In environments with frequent testing or development activities, developers might create and delete tasks as part of their workflow. Consider excluding developer accounts or specific task names used in testing environments to reduce noise.
 64- Scheduled tasks created by monitoring or security tools for short-lived operations can be mistaken for malicious activity. Verify these tools' behavior and exclude their task names or user accounts if they are known to be safe.
 65
 66### Response and remediation
 67
 68- Immediately isolate the affected system from the network to prevent further malicious activity and lateral movement.
 69- Review the scheduled task details, including the task name and associated scripts or executables, to identify any malicious payloads or commands.
 70- Terminate any malicious processes or executables identified from the scheduled task analysis to stop ongoing threats.
 71- Restore any altered or deleted system files from a known good backup to ensure system integrity.
 72- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malware.
 73- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if other systems are affected.
 74- Implement additional monitoring and alerting for similar scheduled task activities to enhance detection and prevent recurrence of this threat."""
 75
 76
 77[[rule.threat]]
 78framework = "MITRE ATT&CK"
 79[[rule.threat.technique]]
 80id = "T1053"
 81name = "Scheduled Task/Job"
 82reference = "https://attack.mitre.org/techniques/T1053/"
 83[[rule.threat.technique.subtechnique]]
 84id = "T1053.005"
 85name = "Scheduled Task"
 86reference = "https://attack.mitre.org/techniques/T1053/005/"
 87
 88
 89
 90[rule.threat.tactic]
 91id = "TA0003"
 92name = "Persistence"
 93reference = "https://attack.mitre.org/tactics/TA0003/"
 94[[rule.threat]]
 95framework = "MITRE ATT&CK"
 96[[rule.threat.technique]]
 97id = "T1053"
 98name = "Scheduled Task/Job"
 99reference = "https://attack.mitre.org/techniques/T1053/"
100[[rule.threat.technique.subtechnique]]
101id = "T1053.005"
102name = "Scheduled Task"
103reference = "https://attack.mitre.org/techniques/T1053/005/"
104
105
106
107[rule.threat.tactic]
108id = "TA0002"
109name = "Execution"
110reference = "https://attack.mitre.org/tactics/TA0002/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Temporarily Scheduled Task Creation

Scheduled tasks in Windows environments automate routine tasks, but adversaries exploit them for persistence and execution by creating and quickly deleting tasks to mask malicious activity. The detection rule identifies such behavior by tracking task creation and deletion within a short timeframe, flagging potential misuse when these actions occur in rapid succession without typical user patterns.

Possible investigation steps

  • Review the winlog.computer_name field to identify the affected system and determine if it is a critical asset or part of a sensitive network segment.
  • Examine the winlog.event_data.TaskName to understand the nature of the task created and deleted, and assess if it aligns with known legitimate tasks or appears suspicious.
  • Investigate the user.name associated with the task creation and deletion events to determine if the activity was performed by a legitimate user or potentially compromised account.
  • Check for any related events or logs around the same timeframe on the affected system to identify any additional suspicious activities or anomalies.
  • Correlate the task creation and deletion events with other security alerts or incidents to determine if this activity is part of a broader attack campaign or isolated incident.

False positive analysis

  • Routine administrative tasks may trigger the rule if system administrators frequently create and delete scheduled tasks for maintenance purposes. To manage this, create exceptions for known administrative accounts or specific task names that are part of regular operations.
  • Automated scripts or software updates that temporarily create scheduled tasks can also cause false positives. Identify these scripts or update processes and exclude their associated user accounts or task names from the detection rule.
  • Some legitimate applications may use scheduled tasks for temporary operations. Review application documentation to confirm such behavior and exclude these applications by their task names or associated user accounts.
  • In environments with frequent testing or development activities, developers might create and delete tasks as part of their workflow. Consider excluding developer accounts or specific task names used in testing environments to reduce noise.
  • Scheduled tasks created by monitoring or security tools for short-lived operations can be mistaken for malicious activity. Verify these tools' behavior and exclude their task names or user accounts if they are known to be safe.

Response and remediation

  • Immediately isolate the affected system from the network to prevent further malicious activity and lateral movement.
  • Review the scheduled task details, including the task name and associated scripts or executables, to identify any malicious payloads or commands.
  • Terminate any malicious processes or executables identified from the scheduled task analysis to stop ongoing threats.
  • Restore any altered or deleted system files from a known good backup to ensure system integrity.
  • Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malware.
  • Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if other systems are affected.
  • Implement additional monitoring and alerting for similar scheduled task activities to enhance detection and prevent recurrence of this threat.

References

Related rules

to-top