Name:WinEvent Scheduled Task Created Within Public Path id:5d9c6eee-988c-11eb-8253-acde48001122 version:6 date:2024-11-28 author:Michael Haag, Splunk status:production type:TTP Description:The following analytic detects the creation of scheduled tasks within user-writable paths using Windows Security EventCode 4698. It identifies tasks registered via schtasks.exe or TaskService that execute commands from directories like Public, ProgramData, Temp, and AppData. This behavior is significant as it may indicate an attempt to establish persistence or execute unauthorized commands. If confirmed malicious, an attacker could maintain long-term access, escalate privileges, or execute arbitrary code, posing a severe threat to system integrity and security. Data_source:
-Windows Event Log Security 4698
search:`wineventlog_security` EventCode=4698 TaskContent IN ("*\\users\\public\\*", "*\\programdata\\*", "*\\temp\\*", "*\\Windows\\Tasks\\*", "*\\appdata\\*", "*\\perflogs\\*") | stats count min(_time) as firstTime max(_time) as lastTime by Computer, TaskName, TaskContent | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winevent_scheduled_task_created_within_public_path_filter`
how_to_implement:To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required. known_false_positives:False positives are possible if legitimate applications are allowed to register tasks in public paths. Filter as needed based on paths that are used legitimately. References: -https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/ -https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4698 -https://redcanary.com/threat-detection-report/techniques/scheduled-task-job/ -https://docs.microsoft.com/en-us/windows/win32/taskschd/time-trigger-example--scripting-?redirectedfrom=MSDN -https://app.any.run/tasks/e26f1b2e-befa-483b-91d2-e18636e2faf3/ drilldown_searches: name:'View the detection results for - "$dest$"' search:'%original_detection_search% | search dest = "$dest$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Windows Persistence Techniques' - 'Active Directory Lateral Movement' - 'CISA AA22-257A' - 'IcedID' - 'Prestige Ransomware' - 'Industroyer2' - 'Ryuk Ransomware' - 'AsyncRAT' - 'Data Destruction' - 'Ransomware' - 'CISA AA23-347A' - 'Scheduled Tasks' - 'Compromised Windows Host' - 'Winter Vivern' asset_type:Endpoint confidence:100 impact:70 message:A windows scheduled task was created (task name=$TaskName$) on $dest$ mitre_attack_id: - 'T1053.005' - 'T1053' observable: name:'dest' type:'Endpoint' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'dest' - 'Task_Name' - 'Description' - 'Command' risk_score:70 security_domain:endpoint
