Nterl0k - T1053 Windows Suspicious Sheduled Task + Lookup

[nterl0k]

Details

2 detection for scheduled task shenanigans backed by a lookup to allow for more flexibility in coverage/detection, applies to task creation (4698), enabling (4700), and modification (4702). Lookup sourced from https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_windows_tasks_list.csv

• WinEvent Scheduled Task with Suspicious Name

  • Detection that offers coverage of known bad Schediled Task names based on curated data

• WinEvent Scheduled Task with Suspicious Command

  • Matches either shell commands or public writable folders. This detection may overlap / deprecate the function of 2 existing detections:
    • WinEvent Scheduled Task Created Within Public Path (5d9c6eee-988c-11eb-8253-acde48001122)
    • WinEvent Scheduled Task Created to Spawn Shell (203ef0ea-9bd8-11eb-8201-acde48001122)

Lookup can be updated to provide additional coverage based on needs.

Pending splunk/attack_data#958

Checklist

• Validate name matches <platform>_<mitre att&ck technique>_<short description> nomenclature
• CI/CD jobs passed ✔️
• Validated SPL logic.
• Validated tags, description, and how to implement.
• Verified references match analytic.
• Confirm updates to lookups are handled properly.

Notes For Submitters and Reviewers

• If you're submitting a PR from a fork, ensuring the box to allow updates from maintainers is checked will help speed up the process of getting it merged.
• Checking the output of the build CI job when it fails will likely show an error about what is failing. You may have a very descriptive error of the specific field(s) in the specific file(s) that is causing an issue. In some cases, its also possible there is an issue with the YAML. Many of these can be caught with the pre-commit hooks if you set them up. These errors will be less descriptive as to what exactly is wrong, but will give you a column and row position in a specific file where the YAML processing breaks. If you're having trouble with this, feel free to add a comment to your PR tagging one of the maintainers and we'll be happy to help troubleshoot it.
• Updates to existing lookup files can be tricky, because of how Splunk handles application updates and the differences between existing lookup files being updated vs new lookups. You can read more here but the short version is that any changes to lookup files need to bump the datestamp in the lookup CSV filename, and the reference to it in the YAML needs to be updated.

[pyth0n1c]

@nterl0k - Can you please give some extra clarity around the Task_Name and Arguments fields, as cause a failure or produce blank fields in the results? Please see the attached screenshots for examples.

[nterl0k]

Interesting... might be a Windows TA version issue. Let me test, but shouldn't be an issue to convert to TaskName. stand by

________________________________ From: pyth0n1c ***@***.***> Sent: Wednesday, February 19, 2025 4:05 PM To: splunk/security_content ***@***.***> Cc: Steven Dick ***@***.***>; Mention ***@***.***> Subject: Re: [splunk/security_content] Nterl0k - T1053 Windows Suspicious Sheduled Task + Lookup (PR #3316) @pyth0n1c requested changes on this pull request. @nterl0k<https://github.com/nterl0k> - Can you please give some extra clarity around the Task_Name and Arguments fields, as cause a failure or produce blank fields in the results? Please see the attached screenshots for examples.

________________________________ In detections/endpoint/windows_scheduled_task_with_suspicious_command.yml<#3316 (comment)>:

+id: 1f44c126-c26a-4dd3-83bb-0f9a0f03ecc3

+version: 1 +date: '2025-02-07' +author: Steven Dick +status: production +type: TTP +description: The following analytic detects the creation of scheduled tasks designed to execute commands using native Windows shells like PowerShell, Cmd, Wscript, or Cscript or from public folders such as Users, Temp, or ProgramData. It leverages Windows Security EventCode 4698, 4700, and 4702 to identify when such tasks are registered, enabled, or modified. This activity is significant as it may indicate an attempt to establish persistence or execute malicious commands on a system. If confirmed malicious, this could allow an attacker to maintain access, execute arbitrary code, or escalate privileges, posing a severe threat to the environment. +data_source: +- Windows Event Log Security 4698 +- Windows Event Log Security 4700 +- Windows Event Log Security 4702 +search: |- + `wineventlog_security` EventCode IN (4698,4700,4702) + | eval TaskContent = case(isnotnull(TaskContentNew),TaskContentNew,true(),TaskContent) + | xmlkv TaskContent + | stats count min(_time) as firstTime max(_time) as lastTime latest(Arguments) as Arguments latest(Author) as Author by Computer, Caller_User_Name, Task_Name, Command, Enabled, Hidden, EventCode It appears that Task_Name does not exist in the event and, as such, this search returns to results. I do, however, see a TaskName and making some that change across the detection yields the following results. However, Arguments is still empty - is this something that appears in some results/raw logs? image.png (view on web)<https://github.com/user-attachments/assets/4c9dbc98-cca2-4d8c-a600-f5b2ad54a951>

________________________________ In detections/endpoint/windows_scheduled_task_with_suspicious_name.yml<#3316 (comment)>:

+id: 9e9ab4e3-c9d0-4967-a197-6d755e8a7e6e

+version: 1 +date: '2025-02-07' +author: Steven Dick +status: production +type: TTP +description: The following analytic detects the creation, modification, or enabling of scheduled tasks with known suspicious or malicious task names. It leverages Windows Security EventCode 4698, 4700, and 4702 to identify when such tasks are registered, modified, or enabled. This activity is significant as it may indicate an attempt to establish persistence or execute malicious commands on a system. If confirmed malicious, this could allow an attacker to maintain access, execute arbitrary code, or escalate privileges, posing a severe threat to the environment. +data_source: +- Windows Event Log Security 4698 +- Windows Event Log Security 4700 +- Windows Event Log Security 4702 +search: |- + `wineventlog_security` EventCode IN (4698,4700,4702) + | eval TaskContent = case(isnotnull(TaskContentNew),TaskContentNew,true(),TaskContent) + | xmlkv TaskContent + | stats count min(_time) as firstTime max(_time) as lastTime latest(Arguments) as Arguments latest(Author) as Author by Computer, Task_Name, Command, Enabled, Hidden,Caller_User_Name, EventCode I see a similar issue related to Arguments and Task_Name / TaskName for this detection: image.png (view on web)<https://github.com/user-attachments/assets/a7351be5-6dd4-461c-b55c-b2c4551d6c2f> — Reply to this email directly, view it on GitHub<#3316 (review)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AJIYP7VLBWC7WZE266FZ2ML2QTWYJAVCNFSM6AAAAABWWTFK5OVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDMMRXHE3TGOBUHA>. You are receiving this because you were mentioned.Message ID: ***@***.***>