Scheduled Task Created by a Windows Script

A scheduled task was created by a Windows script via cscript.exe, wscript.exe or powershell.exe. This can be abused by an adversary to establish persistence.

Rule type: eql
Rule indices:

• winlogbeat-*
• logs-endpoint.events.registry-*
• logs-endpoint.events.library-*
• logs-windows.sysmon_operational-*
• endgame-*

Rule Severity: medium
Risk Score: 47
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: 100
References:

Tags:

• Domain: Endpoint
• OS: Windows
• Use Case: Threat Detection
• Tactic: Persistence
• Tactic: Execution
• Data Source: Elastic Endgame
• Data Source: Elastic Defend
• Data Source: Sysmon
• Resources: Investigation Guide

Version: 212
Rule authors:

• Elastic

Rule license: Elastic License v2

This rule is designed for data generated by Elastic Defend, which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.

Setup instructions: https://ela.st/install-elastic-defend

This rule also supports the following third-party data sources. For setup instructions, refer to the links below:

• Sysmon Event ID 7 - Image Loaded
• Sysmon Registry Events

Decode the base64 encoded Tasks Actions registry value to investigate the task's configured action.

sequence by host.id with maxspan = 30s
  [any where host.os.type == "windows" and
    (event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and
    (?dll.name : "taskschd.dll" or file.name : "taskschd.dll") and
    process.name : ("cscript.exe", "wscript.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe")]
  [registry where host.os.type == "windows" and event.type == "change" and registry.value : "Actions" and
    registry.path : (
      "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\\Actions",
      "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\\Actions"
  )]
		

Framework: MITRE ATT&CK

• Tactic:

  • Name: Persistence
  • Id: TA0003
  • Reference URL: https://attack.mitre.org/tactics/TA0003/

• Technique:

  • Name: Scheduled Task/Job
  • Id: T1053
  • Reference URL: https://attack.mitre.org/techniques/T1053/

• Sub Technique:

  • Name: Scheduled Task
  • Id: T1053.005
  • Reference URL: https://attack.mitre.org/techniques/T1053/005/

Framework: MITRE ATT&CK

• Tactic:

  • Name: Execution
  • Id: TA0002
  • Reference URL: https://attack.mitre.org/tactics/TA0002/

• Technique:

  • Name: Command and Scripting Interpreter
  • Id: T1059
  • Reference URL: https://attack.mitre.org/techniques/T1059/

• Sub Technique:

  • Name: PowerShell
  • Id: T1059.001
  • Reference URL: https://attack.mitre.org/techniques/T1059/001/

• Sub Technique:

  • Name: Visual Basic
  • Id: T1059.005
  • Reference URL: https://attack.mitre.org/techniques/T1059/005/