Suspicious Scheduled Task Creation

Severity: high
Author: Nasreddine Bencherchali (Nextron Systems)
Source: upstream

Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1053.005` Scheduled Task/Job: Scheduled Task
Persistence	`T1053.005` Scheduled Task/Job: Scheduled Task
Privilege Escalation	`T1053.005` Scheduled Task/Job: Scheduled Task

Event coverage

Provider	Event ID	Title
Security-Auditing	4698	A scheduled task was created.

Stages and Predicates

Stage 1: `all of selection_eid`

Stage 2: `all of selection_paths`

or:
TaskContent|contains: 'C:\Perflogs\'
TaskContent|contains: 'C:\ProgramData\'
TaskContent|contains: 'C:\Temp\'
TaskContent|contains: '\AppData\Local\Temp\'
TaskContent|contains: '\AppData\Roaming\'
TaskContent|contains: '\Desktop\'
TaskContent|contains: '\Downloads\'
TaskContent|contains: '\Temporary Internet'
TaskContent|contains: '\Users\Public\'
TaskContent|contains: '\WINDOWS\Temp\'

Stage 3: `all of selection_commands`

or:
TaskContent|contains: '<Arguments>/c '
TaskContent|contains: '<Arguments>/k '
TaskContent|contains: '<Arguments>/r '
TaskContent|contains: 'bash '
TaskContent|contains: bash.exe
TaskContent|contains: bitsadmin
TaskContent|contains: certutil
TaskContent|contains: 'cmd.exe</Command>'
TaskContent|contains: 'cmd</Command>'
TaskContent|contains: cscript
TaskContent|contains: forfiles
TaskContent|contains: hh.exe
TaskContent|contains: mshta
TaskContent|contains: powershell
TaskContent|contains: pwsh
TaskContent|contains: regsvr32
TaskContent|contains: rundll32
TaskContent|contains: scrcons
TaskContent|contains: scriptrunner
TaskContent|contains: 'wmic '
TaskContent|contains: wmic.exe
TaskContent|contains: wscript

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`TaskContent`	match	`<Arguments>/c` `<Arguments>/k` `<Arguments>/r` `C:\Perflogs\` `C:\ProgramData\` `C:\Temp\` `\AppData\Local\Temp\` `\AppData\Roaming\` `\Desktop\` `\Downloads\` `\Temporary Internet` `\Users\Public\` `\WINDOWS\Temp\` `bash` `bash.exe` `bitsadmin` `certutil` `cmd.exe</Command>` `cmd</Command>` `cscript` `forfiles` `hh.exe` `mshta` `powershell` `pwsh` `regsvr32` `rundll32` `scrcons` `scriptrunner` `wmic` `wmic.exe` `wscript`

Neighbors

Stricter alternatives (narrower than this rule)

The rules below may be useful if you find the current rule is too noisy / lacks specificity.

Remote Scheduled Task Creation via RPC [elastic] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
A scheduled task was created [elastic] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Windows Hidden Schedule Task Settings [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
WinEvent Scheduled Task Created to Spawn Shell [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
WinEvent Scheduled Task Created Within Public Path [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Randomly Generated Scheduled Task Name [splunk] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Schedule Task with HTTP Command Arguments [splunk] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Schedule Task with Rundll32 Command Trigger [splunk] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)