Suspicious Outbound Scheduled Task Activity via PowerShell

The detection rule identifies suspicious PowerShell activity related to scheduled tasks. Adversaries exploit Task Scheduler to execute malicious scripts, facilitating lateral movement or remote discovery. The rule monitors for the Task Scheduler DLL load within PowerShell processes (powershell.exe, pwsh.exe, powershell_ise.exe) followed by outbound RPC connections, signaling potential misuse. This activity may be indicative of attackers leveraging scheduled tasks for remote execution or reconnaissance within a compromised network. The detection logic focuses on the sequence of loading taskschd.dll and initiating an RPC connection to port 135, a common port for Distributed Component Object Model (DCOM) communication.

Attack Chain

1. An attacker gains initial access to a Windows system through various means.
2. The attacker uses PowerShell to interact with the Task Scheduler service.
3. PowerShell process (powershell.exe, pwsh.exe, or powershell_ise.exe) loads the taskschd.dll library.
4. The attacker creates or modifies a scheduled task using PowerShell commands.
5. The scheduled task is configured to execute a malicious payload.
6. PowerShell initiates an outbound RPC connection on port 135.
7. The malicious payload executes, potentially leading to lateral movement or remote discovery.
8. The attacker achieves their objective, such as gaining control of additional systems or gathering sensitive information.

Impact

Successful exploitation can lead to unauthorized remote code execution, lateral movement within the network, and the potential compromise of sensitive data. The creation or modification of scheduled tasks can provide persistence for attackers, allowing them to maintain access to compromised systems even after reboots. The impact includes potential data breaches, system compromise, and disruption of services.

Recommendation

• Enable Sysmon Event ID 7 (Image Loaded) and Event ID 3 (Network Connection) logging to detect the specific activity described in the attack chain.
• Deploy the Sigma rule “Outbound Scheduled Task Activity via PowerShell” to your SIEM and tune the maxspan value based on your environment’s typical activity patterns.
• Investigate any alerts generated by the Sigma rule, focusing on identifying the specific PowerShell commands used and the scheduled tasks created or modified.
• Monitor network connections to port 135 originating from PowerShell processes, and correlate with other security events to identify suspicious patterns.
• Implement stricter controls on the creation and modification of scheduled tasks, limiting access to authorized personnel only.
• Review and clean up any unauthorized scheduled tasks on systems to prevent persistent malicious activity.