Persistence via TelemetryController Scheduled Task Hijack

Detects the successful hijack of Microsoft Compatibility Appraiser scheduled task to establish persistence with an integrity level of system.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/08/17"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/03/06"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Detects the successful hijack of Microsoft Compatibility Appraiser scheduled task to establish persistence with an
13integrity level of system.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Persistence via TelemetryController Scheduled Task Hijack"
20note = """## Setup
21
22If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
23"""
24references = [
25    "https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence",
26]
27risk_score = 73
28rule_id = "68921d85-d0dc-48b3-865f-43291ca2c4f2"
29severity = "high"
30tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"]
31timestamp_override = "event.ingested"
32type = "eql"
33
34query = '''
35process where host.os.type == "windows" and event.type == "start" and
36  process.parent.name : "CompatTelRunner.exe" and process.args : "-cv*" and
37  not process.name : ("conhost.exe",
38                      "DeviceCensus.exe",
39                      "CompatTelRunner.exe",
40                      "DismHost.exe",
41                      "rundll32.exe",
42                      "powershell.exe")
43'''
44
45
46[[rule.threat]]
47framework = "MITRE ATT&CK"
48[[rule.threat.technique]]
49id = "T1053"
50name = "Scheduled Task/Job"
51reference = "https://attack.mitre.org/techniques/T1053/"
52[[rule.threat.technique.subtechnique]]
53id = "T1053.005"
54name = "Scheduled Task"
55reference = "https://attack.mitre.org/techniques/T1053/005/"
56
57
58
59[rule.threat.tactic]
60id = "TA0003"
61name = "Persistence"
62reference = "https://attack.mitre.org/tactics/TA0003/"

Setup

If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define event.ingested and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate event.ingested to @timestamp for this rule to work.

to-top