Detection rules › Splunk
Rare Scheduled Task (Windows Event Log)
Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1053.005 Scheduled Task/Job: Scheduled Task |
| Persistence | T1053.005 Scheduled Task/Job: Scheduled Task |
| Privilege Escalation | T1053.005 Scheduled Task/Job: Scheduled Task |
| Exfiltration | T1029 Scheduled Transfer |
Event coverage
| Provider | Event | Title |
|---|---|---|
| Security-Auditing | Event ID 4698 | A scheduled task was created. |
| Security-Auditing | Event ID 4700 | A scheduled task was enabled. |
| Security-Auditing | Event ID 4702 | A scheduled task was updated. |
Rule body yaml
id: '5763.6035'
title: Rare Scheduled Task
description: 'Adversaries may abuse task scheduling functionality to facilitate initial
or recurring execution of malicious code. Utilities exist within all major operating
systems to schedule programs or scripts to be executed at a specified date and time.
-- Threat Actor Association: APT33, APT34/OilRig, FIN7, TA505, TA551, Turla (akaSecret
Blizzard, KRYPTON, and UAC-0003) -- Software Association: BianLian, Clop, Cring,
IcedID, NanoCore, Sodinokibi/REvil, Trickbot -- Atomics T1053.005 Test#1 Atomics
T1053.005 Test#2 Atomics T1053.005 Test#3 Atomics T1053.005 Test#4 Atomics T1053.005
Test#5 Atomics T1053.005 Test#6'
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_winevent` (TERM(EventCode=4702) OR
"<EventID>4702<" OR TERM(EventCode=4700) OR "<EventID>4700<" OR TERM(EventCode=4698)
OR "<EventID>4698<") | rex field=body "\<Command\>(?<process>.{1,}\Q</Command>\E)"|
rex field=body "\<Arguments\>(?<process_exec>.{1,}\Q</Arguments>\E)"| rex field=process
mode=sed "s/\<\/Command\>//g"| rex field=process_exec mode=sed "s/\<\/Arguments\>//g"|
rename Task_Name as task_name | where isnotnull(process) | table _time, host, user,
signature_id, task_name, process, process_exec | eventstats count by task_name process
signature_id| where count=1 '
techniques:
- execution:scheduled task/job:scheduled task
- persistence:scheduled task/job:scheduled task
- privilege-escalation:scheduled task/job:scheduled task
- exfiltration:scheduled transfer
technique_id:
- T1053.005
- T1029
data_category:
- Windows event logs
references: null
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_winevent` (TERM(EventCode=4702) OR "<EventID>4702<" OR TERM(EventCode=4700) OR "<EventID>4700<" OR TERM(EventCode=4698) OR "<EventID>4698<")
Stage 2: rex
| rex field=body "\<Command\>(?<process>.{1,}\Q</Command>\E)"
Stage 3: rex
| rex field=body "\<Arguments\>(?<process_exec>.{1,}\Q</Arguments>\E)"
Stage 4: eval
| rex field=process mode=sed "s/\<\/Command\>//g"
Stage 5: eval
| rex field=process_exec mode=sed "s/\<\/Arguments\>//g"
Stage 6: rename
| rename Task_Name as task_name
Stage 7: where
| where isnotnull(process)
Stage 8: table
| table _time, host, user, signature_id, task_name, process, process_exec
Stage 9: eventstats
| eventstats count by task_name process signature_id
Stage 10: where
| where count=1
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | "<EventID>4702<" |
| 1 | TERM |
| 1 | "<EventID>4700<" |
| 1 | TERM |
| 1 | "<EventID>4698<" |