detection.wiki

Detection rules › Splunk

Windows Hidden Schedule Task Settings

Author
Teoderick Contreras, Splunk
Source
upstream

The following analytic detects the creation of hidden scheduled tasks on Windows systems, which are not visible in the UI. It leverages Windows Security EventCode 4698 to identify tasks where the 'Hidden' setting is enabled. This behavior is significant as it may indicate malware activity, such as Industroyer2, or the use of living-off-the-land binaries (LOLBINs) to download additional payloads. If confirmed malicious, this activity could allow attackers to execute code stealthily, maintain persistence, or further compromise the system by downloading additional malicious payloads.

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1053 Scheduled Task/Job
PersistenceT1053 Scheduled Task/Job
Privilege EscalationT1053 Scheduled Task/Job

Event coverage

ProviderEvent IDTitle
Security-Auditing4698A scheduled task was created.

Stages and Predicates

Stage 1: search

search EventCode=4698 TaskContent="*<Hidden>true</Hidden>*"

Stage 2: stats

stats BY TaskName, TaskContent, action, signature, status, dest

Stage 3: search

search

Stage 4: search

search

Stage 5: search

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
EventCodeeq
  • 4698 corpus 8 (splunk 8)
TaskContenteq
  • "*<Hidden>true</Hidden>*"

Neighbors

Broader alternatives (more inclusive than this rule)

These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.