detection.wiki

Detection rules › Splunk

Windows PowerShell ScheduleTask

Status
production
Severity
low
Group by
Guid, Name, Opcode, Path, ScriptBlockId, ScriptBlockText, dest, process_id, signature, signature_id, user_id, vendor_product
Author
Michael Haag, Splunk
Source
github.com/splunk/security_content

The following analytic detects potential malicious activities involving PowerShell's task scheduling cmdlets. It leverages PowerShell Script Block Logging (EventCode 4104) to identify unusual or suspicious use of cmdlets like 'New-ScheduledTask' and 'Set-ScheduledTask'. This activity is significant as attackers often use these cmdlets for persistence and remote execution of malicious code. If confirmed malicious, this could allow attackers to maintain access, deliver additional payloads, or execute ransomware, leading to data theft or other severe impacts. Immediate investigation and mitigation are crucial to prevent further compromise.

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1053.005 Scheduled Task/Job: Scheduled Task, T1059.001 Command and Scripting Interpreter: PowerShell
PersistenceT1053.005 Scheduled Task/Job: Scheduled Task
Privilege EscalationT1053.005 Scheduled Task/Job: Scheduled Task

Event coverage

ProviderEventTitle
PowerShellEvent ID 4104Creating Scriptblock text (MessageNumber of MessageTotal).

Rule body splunk

name: Windows PowerShell ScheduleTask
id: ddf82fcb-e9ee-40e3-8712-a50b5bf323fc
version: 13
creation_date: '2023-06-12'
modification_date: '2026-05-13'
author: Michael Haag, Splunk
status: production
type: Anomaly
description: The following analytic detects potential malicious activities involving PowerShell's task scheduling cmdlets. It leverages PowerShell Script Block Logging (EventCode 4104) to identify unusual or suspicious use of cmdlets like 'New-ScheduledTask' and 'Set-ScheduledTask'. This activity is significant as attackers often use these cmdlets for persistence and remote execution of malicious code. If confirmed malicious, this could allow attackers to maintain access, deliver additional payloads, or execute ransomware, leading to data theft or other severe impacts. Immediate investigation and mitigation are crucial to prevent further compromise.
data_source:
    - Powershell Script Block Logging 4104
search: |-
    `powershell` EventCode=4104 ScriptBlockText IN ("*New-ScheduledTask*", "*New-ScheduledTaskAction*", "*New-ScheduledTaskSettingsSet*", "*New-ScheduledTaskTrigger*", "*Register-ClusteredScheduledTask*", "*Register-ScheduledTask*", "*Set-ClusteredScheduledTask*", "*Set-ScheduledTask*", "*Start-ScheduledTask*", "*Enable-ScheduledTask*")
      | fillnull
      | stats count min(_time) as firstTime max(_time) as lastTime
        BY dest signature signature_id
           user_id vendor_product EventID
           Guid Opcode Name
           Path ProcessID ScriptBlockId
           ScriptBlockText
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `windows_powershell_scheduletask_filter`
how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.1/add-other-data-to-splunk-uba/configure-powershell-logging-to-see-powershell-anomalies-in-splunk-uba.
known_false_positives: Benign administrative tasks can also trigger alerts, necessitating a firm understanding of the typical system behavior and precise tuning of the analytic to reduce false positives.
references:
    - https://learn.microsoft.com/en-us/powershell/module/scheduledtasks/?view=windowsserver2022-ps
    - https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/
drilldown_searches:
    - name: View the detection results for - "$Computer$" and "$user_id$"
      search: '%original_detection_search% | search  Computer = "$Computer$" user_id = "$user_id$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$Computer$" and "$user_id$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$", "$user_id$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
intermediate_findings:
    entities:
        - field: dest
          type: system
          score: 20
          message: The PowerShell cmdlets related to task creation, modification and start occurred on $dest$ by $user_id$.
        - field: user_id
          type: user
          score: 20
          message: The PowerShell cmdlets related to task creation, modification and start occurred on $dest$ by $user_id$.
analytic_story:
    - Scheduled Tasks
    - Scattered Spider
asset_type: Endpoint
atomic_guid:
    - af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd
mitre_attack_id:
    - T1053.005
    - T1059.001
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/atomic_red_team/pwsh_scheduledtask.log
          source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
          sourcetype: XmlWinEventLog
      test_type: unit

Stages and Predicates

Stage 1: search

`powershell` EventCode=4104 ScriptBlockText IN ("*New-ScheduledTask*", "*New-ScheduledTaskAction*", "*New-ScheduledTaskSettingsSet*", "*New-ScheduledTaskTrigger*", "*Register-ClusteredScheduledTask*", "*Register-ScheduledTask*", "*Set-ClusteredScheduledTask*", "*Set-ScheduledTask*", "*Start-ScheduledTask*", "*Enable-ScheduledTask*")

Stage 2: fillnull

| fillnull

Stage 3: stats

| stats count min(_time) as firstTime max(_time) as lastTime
    BY dest signature signature_id
       user_id vendor_product EventID
       Guid Opcode Name
       Path ProcessID ScriptBlockId
       ScriptBlockText

Stage 4: search

| `security_content_ctime(firstTime)`

Stage 5: search

| `security_content_ctime(lastTime)`

Stage 6: search

| `windows_powershell_scheduletask_filter`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
EventCodeeq
  • 4104 corpus 268 (splunk 268)
ScriptBlockTextin
  • "*Enable-ScheduledTask*"
  • "*New-ScheduledTask*"
  • "*New-ScheduledTaskAction*"
  • "*New-ScheduledTaskSettingsSet*"
  • "*New-ScheduledTaskTrigger*"
  • "*Register-ClusteredScheduledTask*"
  • "*Register-ScheduledTask*"
  • "*Set-ClusteredScheduledTask*"
  • "*Set-ScheduledTask*"
  • "*Start-ScheduledTask*"