From 0ed2918b8d51b448f2dacf96ea713e0c43afcfe9 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Mon, 19 Sep 2022 18:50:45 +0200
Subject: [PATCH] [New Rule] Scheduled Task Creation using winlog (#2277)

* [New Rule] Scheduled Task Creation using winlog

https://github.com/elastic/detection-rules/issues/2164 (T1053.005 - Scheduled Task)

- A scheduled task was created
- A scheduled task was updated
- Temp scheduled task (creation followed by deletion, rare and can be sign of proxy execution via schedule service)

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* toml-lint

* remote task

* Update non-ecs-schema.json

* waaaaaaaaaaaaaa

* Update persistence_scheduled_task_updated.toml

* Update persistence_scheduled_task_creation_winlog.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update lateral_movement_remote_task_creation_winlog.toml

* event.ingested

* Update lateral_movement_remote_task_creation_winlog.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update rules/windows/lateral_movement_remote_task_creation_winlog.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 4609a5e8fea7b6e50c0e470a935dd6d05d1acde7)
---
 detection_rules/etc/non-ecs-schema.json | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json
index db6b7f23d..c3980bf32 100644
--- a/detection_rules/etc/non-ecs-schema.json
+++ b/detection_rules/etc/non-ecs-schema.json
@@ -33,16 +33,17 @@
         "ShareName": "keyword",
         "SubjectLogonId": "keyword",
         "SubjectUserName": "keyword", 
-	"TargetUserName": "keyword",
+        "TargetUserName": "keyword",
         "TargetImage": "keyword",
         "TargetLogonId": "keyword",
         "TargetProcessGUID": "keyword",
         "TargetSid": "keyword", 
-	"PrivilegeList": "keyword", 
-	"AuthenticationPackageName" : "keyword", 
-	"TargetUserSid" : "keyword", 
-	"DnsHostName" : "keyword",
-	"winlog.event_data.Status": "keyword"
+        "PrivilegeList": "keyword", 
+        "AuthenticationPackageName" : "keyword", 
+        "TargetUserSid" : "keyword", 
+        "DnsHostName" : "keyword", 
+        "TaskName": "keyword", 
+        "Status": "keyword"
       }
     },
     "winlog.logon.type": "keyword",