IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Telnet Port Activity Third-party Backup Files Deleted via Unexpected Process »

› › ›

Temporarily Scheduled Task Creation

edit

Temporarily Scheduled Task Creation

edit

Indicates the creation and deletion of a scheduled task within a short time interval. Adversaries can use these to proxy malicious execution via the schedule service and perform clean up.

Rule type: eql

Rule indices:

winlogbeat-*
logs-system.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698

Tags:

Elastic
Host
Windows
Threat Detection
Defense Evasion
Persistence

Version: 1

Added (Elastic Stack release): 8.5.0

Rule authors: Elastic

Rule license: Elastic License v2

Potential false positives

edit

Legitimate scheduled tasks may be created during installation of new software.

Rule query

edit

sequence by host.id, winlog.event_data.TaskName with maxspan=5m
[iam where event.action == "scheduled-task-created"] [iam where
event.action == "scheduled-task-deleted"]

Threat mapping

edit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Indicator Removal on Host
- ID: T1070
- Reference URL: https://attack.mitre.org/techniques/T1070/
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Scheduled Task/Job
- ID: T1053
- Reference URL: https://attack.mitre.org/techniques/T1053/

« Telnet Port Activity Third-party Backup Files Deleted via Unexpected Process »