Scheduled Task Creation via Scripting

This rule detects the creation of scheduled tasks by Windows scripting engines, a tactic commonly employed by adversaries to establish persistence on compromised systems. The activity involves monitoring registry changes related to scheduled task actions and correlating them with script execution. Specifically, it looks for instances where cscript.exe, wscript.exe, powershell.exe, pwsh.exe or powershell_ise.exe are used to create or modify scheduled tasks. This behavior can be indicative of malicious activity, as legitimate software installations should not typically involve scripting engines directly creating scheduled tasks. Defenders should investigate any instances of this behavior to determine if it is malicious. The rule focuses on Windows environments.

Attack Chain

1. An attacker gains initial access to the system through various means (e.g., phishing, exploit).
2. The attacker executes a script (e.g., PowerShell, VBScript) on the target system.
3. The script interacts with the taskschd.dll library to create or modify a scheduled task.
4. The script modifies the registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\*\Actions or \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\*\Actions to define the actions performed by the scheduled task.
5. The scheduled task is configured to execute a malicious payload at a specific time or event.
6. The scheduled task executes, providing the attacker with persistent access to the system.
7. The attacker leverages the persistent access to perform further malicious activities, such as lateral movement or data exfiltration.

Impact

Successful exploitation leads to persistence on the compromised system, allowing attackers to maintain access even after reboots or user logoffs. This can facilitate long-term data theft, deployment of ransomware, or further compromise of the network. The impact depends on the privileges of the account under which the scheduled task runs, potentially granting SYSTEM level access.

Recommendation

• Enable Sysmon ImageLoad events (Event ID 7) to detect when taskschd.dll is loaded by scripting engines (powershell.exe, cscript.exe, wscript.exe) as described in the Sysmon Event ID 7 setup guide.
• Enable Sysmon Registry Events to monitor changes to the registry paths associated with scheduled task actions as described in the Sysmon Registry Events setup guide.
• Deploy the provided Sigma rules to your SIEM to detect scheduled task creation by scripting engines and tune for your environment.
• Investigate any alerts generated by these rules, focusing on the specific scripts and scheduled tasks involved.