Remote Scheduled Task Creation via RPC

This detection identifies the creation of scheduled tasks on Windows systems originating from a remote source using Remote Procedure Call (RPC). The creation of scheduled tasks is a common technique used for persistence and execution. While administrators may legitimately use this functionality for remote management, adversaries also leverage it for lateral movement and executing malicious code on compromised systems. The rule specifically looks for RPC calls where the client locality and process ID are 0, suggesting the task was created remotely. Identifying this activity allows defenders to investigate potentially malicious lateral movement and unauthorized task execution. This activity has been observed across various Windows environments.

Attack Chain

1. An attacker gains initial access to a network, potentially through phishing or exploiting a vulnerability.
2. The attacker identifies a target system within the network accessible via RPC.
3. The attacker establishes an RPC connection to the target system.
4. Using the RPC connection, the attacker creates a new scheduled task on the target system. The RpcCallClientLocality and ClientProcessId are set to 0 in the task creation event, indicating remote origin.
5. The scheduled task is configured to execute a malicious payload or command. This could involve running a script, executable, or PowerShell command.
6. The scheduled task is triggered based on a defined schedule or event.
7. The malicious payload executes on the target system, achieving the attacker’s objective.
8. The attacker uses the compromised system to further pivot within the network, repeating the process on other targets.

Impact

Successful exploitation can lead to the establishment of persistence on the target system, allowing the attacker to maintain access even after reboots or credential changes. This can also facilitate lateral movement, enabling the attacker to compromise additional systems within the network. The impact could range from data theft and system disruption to full network compromise. Organizations may experience downtime, data loss, and reputational damage.

Recommendation

• Enable “Audit Other Object Access Events” to generate the Windows Security Event Logs required for detection (reference: Setup section in content).
• Deploy the provided Sigma rules to your SIEM to detect remote scheduled task creation events (reference: rules section).
• Investigate any alerts generated by the Sigma rules to determine the legitimacy of the scheduled task creation.
• Review and restrict permissions for creating scheduled tasks, especially from remote sources, to prevent unauthorized task creation.
• Monitor the TaskContent value to investigate the configured action of scheduled tasks created remotely (reference: Triage and analysis section in content).