From c878d55ac0fd97d7f7fedebc3e15e4ad85326405 Mon Sep 17 00:00:00 2001
From: JPMinty <mad.dogga@hotmail.com>
Date: Wed, 7 Oct 2020 16:59:18 +1030
Subject: [PATCH 1/2] Add oscd.community author

---
 rules/windows/builtin/win_remote_schtask.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/builtin/win_remote_schtask.yml b/rules/windows/builtin/win_remote_schtask.yml
index 40b923741..aa7b54cc1 100644
--- a/rules/windows/builtin/win_remote_schtask.yml
+++ b/rules/windows/builtin/win_remote_schtask.yml
@@ -2,7 +2,7 @@ title: Remote Schtasks Creation
 id: cf349c4b-99af-40fa-a051-823aa2307a84
 status: experimental
 description: Detects remote execution via scheduled task creation or update on the destination host
-author: Jai Minton
+author: Jai Minton, oscd.community
 date: 2020/10/05
 references:
     - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view

From 21284c2c92e3dd5d636075ea4b62d58b91da8647 Mon Sep 17 00:00:00 2001
From: JPMinty <mad.dogga@hotmail.com>
Date: Sun, 11 Oct 2020 12:48:48 +1030
Subject: [PATCH 2/2] Added selection criteria + moved to Unsupported rule

---
 rules-unsupported/win_remote_schtask.yml     | 44 ++++++++++++++++++++
 rules/windows/builtin/win_remote_schtask.yml | 36 ----------------
 2 files changed, 44 insertions(+), 36 deletions(-)
 create mode 100644 rules-unsupported/win_remote_schtask.yml
 delete mode 100644 rules/windows/builtin/win_remote_schtask.yml

diff --git a/rules-unsupported/win_remote_schtask.yml b/rules-unsupported/win_remote_schtask.yml
new file mode 100644
index 000000000..5730b930e
--- /dev/null
+++ b/rules-unsupported/win_remote_schtask.yml
@@ -0,0 +1,44 @@
+title: Remote Schtasks Creation
+id: cf349c4b-99af-40fa-a051-823aa2307a84
+status: experimental
+description: Detects remote execution via scheduled task creation or update on the destination host
+author: Jai Minton, oscd.community
+date: 2020/10/05
+references:
+    - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
+tags:
+    - attack.lateral_movement
+    - attack.persistence
+    - attack.execution
+    - attack.t1053.005
+logsource:
+    product: windows
+    service: security
+    definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection (not in the baseline recommendations by Microsoft).'
+detection:
+    selection1:
+        EventID: 4624
+        Logon_Type: 3
+    selection2:
+        EventID:
+            - 4698
+            - 4702
+    filter1: 
+        Source_Network_Address:
+            - '::1'
+            - '127.0.0.1'
+    filter2: 
+        Source_Network_Address: '-'
+    timeframe: 30d
+    condition: (selection1 and not filter1) or selection2 and not filter2
+    #   where:
+    #       selection1: TargetLogonID = selection2: SubjectLogonID, grouped by host over 30seconds | eventcount > 1
+    #   Rule should trigger where the SubjectLogonID from event 4698 or 4702 is the same as the TargetLogonID from event 4624 with a Logon_Type of 3, in a 30second period, provided its from the same host.
+    #   This logic would be similar to the Splunk 'Transaction' operator which groups related events over a timeframe. 
+    #       This takes both field values (e.g. Logon_ID), and an expression provided (e.g. startswith=(EventCode=4624) maxspan=30s) which occurs over the raw event log to find events, at which point a Union based on the criteria provided occurs to merge these events into a single transaction.
+    #   This is similar to stats as an aggregation function, but allows you to see the raw text of events rather than to calculate stats on then, and it retains the raw event to allow an eval expression to occur for grouping. This is beneficial as fields such as LogonIDs are reused over time. 
+    #   By having this you can group logon events to their remote schtask creation event (as it is searching for a logon followed by a schtask creation) even by using a search timeframe over a long period of time e.g. 30days without running the risk of incorrectly grouping a logonID at one time, to a task creation at another.
+    #   Rule logic is currently not supported by SIGMA.
+falsepositives:
+    - Unknown
+level: medium
diff --git a/rules/windows/builtin/win_remote_schtask.yml b/rules/windows/builtin/win_remote_schtask.yml
deleted file mode 100644
index aa7b54cc1..000000000
--- a/rules/windows/builtin/win_remote_schtask.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-title: Remote Schtasks Creation
-id: cf349c4b-99af-40fa-a051-823aa2307a84
-status: experimental
-description: Detects remote execution via scheduled task creation or update on the destination host
-author: Jai Minton, oscd.community
-date: 2020/10/05
-references:
-    - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
-tags:
-    - attack.lateral_movement
-    - attack.persistence
-    - attack.execution
-    - attack.t1053.005
-logsource:
-    product: windows
-    service: security
-    definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection (not in the baseline recommendations by Microsoft).'
-detection:
-    selection1:
-        EventID: 4624
-        Logon_Type: 3
-    selection2:
-        EventID:
-            - 4698
-            - 4702
-    filter1: 
-        Source_Network_Address:
-            - '::1'
-            - '127.0.0.1'
-    filter2: 
-        Source_Network_Address: '-'
-    timeframe: 30d
-    condition: (selection1 and not filter1) or selection2 and not filter2
-falsepositives:
-    - Unknown
-level: medium