Detecting Remote Scheduled Task Creation for Lateral Movement

This detection identifies remote scheduled task creations on a target host, which can be indicative of lateral movement. Adversaries often leverage scheduled tasks to execute malicious commands, maintain persistence, or escalate privileges. This technique is particularly effective as it uses native Windows functionality, making it harder to distinguish from legitimate administrative actions. This rule is designed for data generated by Elastic Defend and also supports third-party data sources such as SentinelOne Cloud Funnel and Sysmon. Understanding when and how scheduled tasks are created remotely is crucial for detecting and responding to potential intrusions. The rule focuses on network connections from svchost.exe and registry modifications related to task actions.

Attack Chain

1. The attacker gains initial access to a system, potentially through phishing or exploiting a vulnerability.
2. The attacker uses the compromised system to scan the network for potential targets.
3. The attacker attempts to authenticate to a target Windows host using stolen credentials or by exploiting a vulnerability in a network service.
4. The attacker establishes a network connection to the target host’s Task Scheduler service, typically using ports in the dynamic port range (49152+). This connection originates from svchost.exe.
5. The attacker creates a new scheduled task on the target system using the Task Scheduler service.
6. This creation involves modifying the registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{TaskID}\Actions to define the task’s actions. The ‘Actions’ value is often base64 encoded.
7. The scheduled task executes a malicious payload, granting the attacker further access or control over the target system.
8. The attacker uses the newly gained access for lateral movement, data exfiltration, or other malicious objectives.

Impact

Successful exploitation can lead to unauthorized access to sensitive systems, data breaches, and further lateral movement within the network. The rule is designed to catch this activity, reducing the dwell time of attackers and minimizing potential damage.

Recommendation

• Deploy the provided Sigma rules to your SIEM and tune for your environment to detect malicious scheduled task creation.
• Enable Sysmon Event ID 3 (Network Connection) and Sysmon Registry Events to enhance visibility into network connections and registry modifications (see Setup instructions).
• Review the base64 encoded tasks actions registry value to investigate the task configured action (see rule description).
• Investigate any alerts generated by the Sigma rule to determine the legitimacy of the scheduled task creation and the intent behind the configured action.