Detection rules › Splunk
Schedule Task with Rundll32 Command Trigger
The following analytic detects the creation of scheduled tasks in Windows that use the rundll32 command. It leverages Windows Security EventCode 4698, which logs the creation of scheduled tasks, and filters for tasks executed via rundll32. This activity is significant as it is a common technique used by malware, such as TrickBot, to persist in an environment or deliver additional payloads. If confirmed malicious, this could lead to data theft, ransomware deployment, or other damaging outcomes. Immediate investigation and mitigation are crucial to prevent further compromise.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1053 Scheduled Task/Job |
| Persistence | T1053 Scheduled Task/Job |
| Privilege Escalation | T1053 Scheduled Task/Job |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4698 | A scheduled task was created. |
Stages and Predicates
Stage 1: search
search EventCode=4698
Stage 2: xmlkv
xmlkv
Stage 3: search
search Command="*rundll32*"
Stage 4: stats
stats BY dest, Task_Name, Command, Author, Enabled, Hidden, Arguments
Stage 5: search
search
Stage 6: search
search
Stage 7: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Command | in |
|
EventCode | eq |
|
Neighbors
Stricter alternatives (narrower than this rule)
The rules below may be useful if you find the current rule is too noisy / lacks specificity.
- Windows Hidden Schedule Task Settings (adds 1 filter)
- Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr (adds 1 filter)
- WinEvent Scheduled Task Created to Spawn Shell (adds 1 filter)
- WinEvent Scheduled Task Created Within Public Path (adds 1 filter)
Broader alternatives (more inclusive than this rule)
These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.
- Suspicious Scheduled Task Creation (drops 1 filter this rule applies)