Suspicious Scheduled Task Update

Severity: high
Author: Nasreddine Bencherchali (Nextron Systems)
Source: upstream

Detects update to a scheduled task event that contain suspicious keywords.

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1053.005` Scheduled Task/Job: Scheduled Task
Persistence	`T1053.005` Scheduled Task/Job: Scheduled Task
Privilege Escalation	`T1053.005` Scheduled Task/Job: Scheduled Task

Event coverage

Provider	Event ID	Title
Security-Auditing	4702	A scheduled task was updated.

Stages and Predicates

Stage 1: `all of selection_eid`

Stage 2: `all of selection_paths`

or:
TaskContentNew|contains: 'C:\Perflogs\'
TaskContentNew|contains: 'C:\ProgramData\'
TaskContentNew|contains: 'C:\Temp\'
TaskContentNew|contains: '\AppData\Local\Temp\'
TaskContentNew|contains: '\AppData\Roaming\'
TaskContentNew|contains: '\Desktop\'
TaskContentNew|contains: '\Downloads\'
TaskContentNew|contains: '\Temporary Internet'
TaskContentNew|contains: '\Users\Public\'
TaskContentNew|contains: '\WINDOWS\Temp\'

Stage 3: `all of selection_commands`

or:
TaskContentNew|contains: '<Arguments>/c '
TaskContentNew|contains: '<Arguments>/k '
TaskContentNew|contains: '<Arguments>/r '
TaskContentNew|contains: 'bash '
TaskContentNew|contains: bash.exe
TaskContentNew|contains: bitsadmin
TaskContentNew|contains: certutil
TaskContentNew|contains: 'cmd.exe</Command>'
TaskContentNew|contains: 'cmd</Command>'
TaskContentNew|contains: cscript
TaskContentNew|contains: forfiles
TaskContentNew|contains: hh.exe
TaskContentNew|contains: mshta
TaskContentNew|contains: powershell
TaskContentNew|contains: pwsh
TaskContentNew|contains: regsvr32
TaskContentNew|contains: rundll32
TaskContentNew|contains: scrcons
TaskContentNew|contains: scriptrunner
TaskContentNew|contains: 'wmic '
TaskContentNew|contains: wmic.exe
TaskContentNew|contains: wscript

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`TaskContentNew`	match	`<Arguments>/c` `<Arguments>/k` `<Arguments>/r` `C:\Perflogs\` `C:\ProgramData\` `C:\Temp\` `\AppData\Local\Temp\` `\AppData\Roaming\` `\Desktop\` `\Downloads\` `\Temporary Internet` `\Users\Public\` `\WINDOWS\Temp\` `bash` `bash.exe` `bitsadmin` `certutil` `cmd.exe</Command>` `cmd</Command>` `cscript` `forfiles` `hh.exe` `mshta` `powershell` `pwsh` `regsvr32` `rundll32` `scrcons` `scriptrunner` `wmic` `wmic.exe` `wscript`

Neighbors

Stricter alternatives (narrower than this rule)

The rules below may be useful if you find the current rule is too noisy / lacks specificity.

Unusual Scheduled Task Update [elastic] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)