Detecting Suspicious Scheduled Task Creation in Windows

Adversaries frequently abuse Windows scheduled tasks to establish persistence, move laterally within a network, and escalate privileges. This technique involves creating or modifying scheduled tasks to execute malicious code at specific times or in response to certain events. This detection rule identifies suspicious task creation by filtering out benign tasks and those initiated by system accounts, focusing on potential threats. The rule relies on Windows Security Event Logs, offering a valuable method for identifying unauthorized task creation indicative of malicious activity. The detection logic specifically excludes common tasks associated with software updates from vendors like Hewlett-Packard, Microsoft, Google, and Mozilla, as well as tasks run by system accounts.

Attack Chain

1. An attacker gains initial access to a system, potentially through phishing or exploiting a vulnerability.
2. The attacker uses their initial access to execute commands, potentially leveraging PowerShell or cmd.exe.
3. The attacker uses the schtasks command-line utility or the COM interface to create a new scheduled task.
4. The scheduled task is configured to execute a malicious payload, such as a reverse shell or a data exfiltration script.
5. The task is set to trigger based on a specific schedule, such as at system startup, at a specific time, or upon a specific event.
6. When the trigger occurs, the scheduled task executes the malicious payload.
7. The malicious payload establishes persistence, allowing the attacker to maintain access to the compromised system.
8. The attacker can then use the persistent access to move laterally to other systems or to exfiltrate sensitive data.

Impact

Successful exploitation allows adversaries to maintain persistent access to compromised systems, potentially leading to data theft, system disruption, or further lateral movement within the network. By creating malicious scheduled tasks, attackers can ensure their code is executed even after a system reboot or user logoff. This can result in long-term compromise and significant damage to affected organizations. While the number of victims and specific sectors targeted are not detailed, the potential impact is broad due to the widespread use of Windows systems in enterprise environments.

Recommendation

• Enable Windows Security Event Logging and ensure that event ID 4698 (A scheduled task was created) is collected.
• Deploy the Sigma rule “Suspicious Scheduled Task Creation via Winlog” to your SIEM to detect potentially malicious scheduled task creation events.
• Regularly review and update the exclusion list in the Sigma rule to account for new benign scheduled tasks in your environment.
• Investigate any alerts generated by the Sigma rule by examining the task’s name, path, actions, and triggers to determine if they are suspicious.
• Monitor for related suspicious activity, such as unusual process executions or network connections originating from the compromised system.