security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
sigma-rules/rules/windows/persistence_suspicious_scheduled_task_runtime.toml
T
Jonhnathan d95919b7e3 [Rule Tuning] Windows Setup Guides - Low and Medium Severity Rules (#6042) 
* checkpoint

* ++

* Update credential_access_dcsync_user_backdoor.toml

* Update defense_evasion_posh_high_entropy.toml

* Update credential_access_iis_apppoolsa_pwd_appcmd.toml
2026-05-04 11:17:05 -03:00

170 lines
8.6 KiB
TOML
Raw Permalink Blame History

[metadata]
creation_date = "2020/11/19"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2026/05/04"
[rule]
author = ["Elastic"]
description = "Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage."
false_positives = ["Legitimate scheduled tasks running third party software."]
from = "now-9m"
index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious Execution via Scheduled Task"
note = """## Triage and analysis
> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
### Investigating Suspicious Execution via Scheduled Task
Scheduled tasks in Windows automate routine tasks, but adversaries exploit them for persistence and execution of malicious programs. By examining process lineage and command line usage, the detection rule identifies suspicious executions initiated by scheduled tasks. It flags known malicious executables and unusual file paths, while excluding benign processes, to pinpoint potential threats effectively.
### Possible investigation steps
- Review the process lineage to confirm the parent process is "svchost.exe" with arguments containing "Schedule" to verify the execution was initiated by a scheduled task.
- Examine the command line arguments and file paths of the suspicious process to identify any unusual or unauthorized file locations, such as those listed in the query (e.g., "C:\\Users\\*", "C:\\ProgramData\\*").
- Check the original file name of the process against the list of known suspicious executables (e.g., "PowerShell.EXE", "Cmd.Exe") to determine if it matches any commonly abused binaries.
- Investigate the user context under which the process was executed, especially if it deviates from expected system accounts or known service accounts.
- Correlate the event with other security logs or alerts to identify any related suspicious activities or patterns that might indicate a broader attack campaign.
- Assess the risk and impact of the detected activity by considering the severity and risk score provided, and determine if immediate containment or remediation actions are necessary.
### False positive analysis
- Scheduled tasks running legitimate scripts or executables like cmd.exe or cscript.exe in system directories may trigger false positives. To manage this, create exceptions for these processes when they are executed from known safe directories such as C:\\Windows\\System32.
- PowerShell scripts executed by the system account (S-1-5-18) for administrative tasks can be mistakenly flagged. Exclude these by specifying exceptions for PowerShell executions with arguments like -File or -PSConsoleFile when run by the system account.
- Legitimate software installations or updates using msiexec.exe by the system account may be incorrectly identified as threats. Mitigate this by excluding msiexec.exe processes initiated by the system account.
- Regular maintenance tasks or scripts stored in common directories like C:\\ProgramData or C:\\Windows\\Temp might be flagged. Review these tasks and exclude known benign scripts or executables from these paths.
- Custom scripts or administrative tools that mimic suspicious executables (e.g., PowerShell.EXE, RUNDLL32.EXE) but are part of routine operations should be reviewed and excluded if verified as safe.
### Response and remediation
- Immediately isolate the affected system from the network to prevent further spread of any potential malicious activity.
- Terminate any suspicious processes identified by the detection rule, especially those matching the flagged executables and paths.
- Conduct a thorough review of scheduled tasks on the affected system to identify and disable any unauthorized or suspicious tasks.
- Remove any malicious files or executables found in the suspicious paths listed in the detection rule.
- Restore the system from a known good backup if malicious activity is confirmed and system integrity is compromised.
- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected.
- Implement enhanced monitoring and logging for scheduled tasks and the flagged executables to detect similar threats in the future."""
references = [
"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper",
]
risk_score = 47
rule_id = "5d1d6907-0747-4d5d-9b24-e4a18853dc0a"
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Persistence",
"Tactic: Execution",
"Data Source: Elastic Defend",
"Resources: Investigation Guide",
"Data Source: Sysmon",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "windows" and event.type == "start" and
/* Schedule service cmdline on Win10+ */
process.parent.name : "svchost.exe" and process.parent.args : "Schedule" and
/* add suspicious programs here */
process.pe.original_file_name in
(
"cscript.exe",
"wscript.exe",
"PowerShell.EXE",
"Cmd.Exe",
"MSHTA.EXE",
"RUNDLL32.EXE",
"REGSVR32.EXE",
"MSBuild.exe",
"InstallUtil.exe",
"RegAsm.exe",
"RegSvcs.exe",
"msxsl.exe",
"CONTROL.EXE",
"EXPLORER.EXE",
"Microsoft.Workflow.Compiler.exe",
"msiexec.exe"
) and
/* add suspicious paths here */
process.args : (
"C:\\Users\\*",
"C:\\ProgramData\\*",
"C:\\Windows\\Temp\\*",
"C:\\Windows\\Tasks\\*",
"C:\\PerfLogs\\*",
"C:\\Intel\\*",
"C:\\Windows\\Debug\\*",
"C:\\HP\\*") and
not (process.name : "cmd.exe" and process.args : ("*.bat", "*.cmd")) and
not (process.name : "cscript.exe" and process.args : "?:\\Windows\\system32\\calluxxprovider.vbs") and
not (
process.name : "powershell.exe" and
process.args : (
"-File", "-PSConsoleFile",
"C:\\ProgramData\\Microsoft\\AutopatchSetupScheduled\\SetupAutopatchClientV2Package.ps1",
"C:\\ProgramData\\Microsoft\\AutopatchSetupScheduled\\SetupAutopatchClientPackage.ps1",
"C:\\Windows\\Temp\\MSS\\MDESetup\\Invoke-MDESetup.ps1"
) and user.id : "S-1-5-18"
) and
not (process.name : "msiexec.exe" and user.id : "S-1-5-18") and
not (process.name : "powershell.exe" and
process.command_line : ("C:\\ProgramData\\ElasticAgent-HealthCheck.ps1",
"C:\\ProgramData\\ssh\\puttysetup.ps1"))
'''
setup = """## Setup
This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
Setup instructions: https://ela.st/install-elastic-defend
### Additional data sources
This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)
"""
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1053"
name = "Scheduled Task/Job"
reference = "https://attack.mitre.org/techniques/T1053/"
[[rule.threat.technique.subtechnique]]
id = "T1053.005"
name = "Scheduled Task"
reference = "https://attack.mitre.org/techniques/T1053/005/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1053"
name = "Scheduled Task/Job"
reference = "https://attack.mitre.org/techniques/T1053/"
[[rule.threat.technique.subtechnique]]
id = "T1053.005"
name = "Scheduled Task"
reference = "https://attack.mitre.org/techniques/T1053/005/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
Reference in New Issue View Git Blame Copy Permalink