Temporarily Scheduled Task Creation
Indicates the creation and deletion of a scheduled task within a short time interval. Adversaries can use these to proxy malicious execution via the schedule service and perform clean up.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/08/29"
3integration = ["system", "windows"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Indicates the creation and deletion of a scheduled task within a short time interval. Adversaries can use these to proxy
11malicious execution via the schedule service and perform clean up.
12"""
13false_positives = ["Legitimate scheduled tasks may be created during installation of new software."]
14from = "now-9m"
15index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Temporarily Scheduled Task Creation"
19references = ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698"]
20risk_score = 47
21rule_id = "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe"
22severity = "medium"
23tags = [
24 "Domain: Endpoint",
25 "OS: Windows",
26 "Use Case: Threat Detection",
27 "Tactic: Persistence",
28 "Tactic: Execution",
29]
30type = "eql"
31
32query = '''
33sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m
34 [iam where event.action == "scheduled-task-created" and not user.name : "*$"]
35 [iam where event.action == "scheduled-task-deleted" and not user.name : "*$"]
36'''
37
38
39[[rule.threat]]
40framework = "MITRE ATT&CK"
41[[rule.threat.technique]]
42id = "T1053"
43name = "Scheduled Task/Job"
44reference = "https://attack.mitre.org/techniques/T1053/"
45[[rule.threat.technique.subtechnique]]
46id = "T1053.005"
47name = "Scheduled Task"
48reference = "https://attack.mitre.org/techniques/T1053/005/"
49
50
51
52[rule.threat.tactic]
53id = "TA0003"
54name = "Persistence"
55reference = "https://attack.mitre.org/tactics/TA0003/"
56[[rule.threat]]
57framework = "MITRE ATT&CK"
58[[rule.threat.technique]]
59id = "T1053"
60name = "Scheduled Task/Job"
61reference = "https://attack.mitre.org/techniques/T1053/"
62[[rule.threat.technique.subtechnique]]
63id = "T1053.005"
64name = "Scheduled Task"
65reference = "https://attack.mitre.org/techniques/T1053/005/"
66
67
68
69[rule.threat.tactic]
70id = "TA0002"
71name = "Execution"
72reference = "https://attack.mitre.org/tactics/TA0002/"
References
Related rules
- New ActiveSyncAllowedDeviceID Added via PowerShell
- Persistence via Hidden Run Key Detected
- Persistence via WMI Event Subscription
- Scheduled Task Created by a Windows Script
- Suspicious Execution via Scheduled Task