Temporarily Scheduled Task Creation
Indicates the creation and deletion of a scheduled task within a short time interval. Adversaries can use these to proxy malicious execution via the schedule service and perform clean up.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/08/29"
3integration = ["system", "windows"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/10/13"
8
9[rule]
10author = ["Elastic"]
11description = """
12Indicates the creation and deletion of a scheduled task within a short time interval. Adversaries can use these to proxy
13malicious execution via the schedule service and perform clean up.
14"""
15false_positives = ["Legitimate scheduled tasks may be created during installation of new software."]
16from = "now-9m"
17index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Temporarily Scheduled Task Creation"
21references = ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698"]
22risk_score = 47
23rule_id = "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe"
24severity = "medium"
25tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution"]
26type = "eql"
27
28query = '''
29sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m
30 [iam where event.action == "scheduled-task-created" and not user.name : "*$"]
31 [iam where event.action == "scheduled-task-deleted" and not user.name : "*$"]
32'''
33
34[[rule.threat]]
35framework = "MITRE ATT&CK"
36[[rule.threat.technique]]
37id = "T1053"
38name = "Scheduled Task/Job"
39reference = "https://attack.mitre.org/techniques/T1053/"
40[[rule.threat.technique.subtechnique]]
41id = "T1053.005"
42name = "Scheduled Task"
43reference = "https://attack.mitre.org/techniques/T1053/005/"
44
45
46
47[rule.threat.tactic]
48id = "TA0003"
49name = "Persistence"
50reference = "https://attack.mitre.org/tactics/TA0003/"
51
52[[rule.threat]]
53framework = "MITRE ATT&CK"
54[[rule.threat.technique]]
55id = "T1053"
56name = "Scheduled Task/Job"
57reference = "https://attack.mitre.org/techniques/T1053/"
58
59[[rule.threat.technique.subtechnique]]
60id = "T1053.005"
61name = "Scheduled Task"
62reference = "https://attack.mitre.org/techniques/T1053/005/"
63
64
65[rule.threat.tactic]
66id = "TA0002"
67name = "Execution"
68reference = "https://attack.mitre.org/tactics/TA0002/"
References
-
Describes security event 4698(S) A scheduled task was created. This event is generated when a scheduled task is created.
Read More
Related rules
- Anomalous Process For a Windows Population
- Unusual Windows Path Activity
- AdminSDHolder Backdoor
- Anomalous Windows Process Creation
- Suspicious Powershell Script