Unusual Scheduled Task Update

This detection identifies first-time modifications to scheduled tasks by non-system users on Windows systems. Adversaries frequently abuse scheduled tasks to achieve persistence by modifying existing tasks or creating new ones that execute malicious code at recurring intervals. This rule focuses on detecting unauthorized changes to existing tasks by filtering out known system accounts (SYSTEM, Local Service, Network Service) and machine accounts, thereby highlighting potentially suspicious user activity. The rule leverages Windows Security Event Logs (event code 4702) to monitor task modifications. The goal is to aid in the early detection of threats where attackers are attempting to establish persistence on a compromised system.

Attack Chain

1. An attacker gains initial access to a Windows system, potentially through phishing or exploiting a vulnerability.
2. The attacker enumerates existing scheduled tasks on the system using tools like schtasks.exe or PowerShell cmdlets.
3. The attacker identifies a suitable scheduled task to modify for persistence.
4. The attacker modifies the task’s settings, such as the trigger time, the executable to run, or the arguments passed to the executable. This modification is logged as event ID 4702.
5. The scheduled task is updated using schtasks.exe /change or PowerShell’s Set-ScheduledTask cmdlet.
6. The modified scheduled task executes at the specified time, launching the attacker’s malicious payload.
7. The malicious payload establishes a reverse shell to the attacker’s command and control (C2) server.
8. The attacker uses the reverse shell to perform further actions on the compromised system, such as data exfiltration or lateral movement.

Impact

A successful attack involving the modification of scheduled tasks can lead to persistent access to a compromised system. The attacker can use this access to steal sensitive data, install malware, or perform other malicious activities. While this rule is low severity, it can uncover attackers attempting to persist in a network.

Recommendation

• Enable “Audit Other Object Access Events” to generate the required Windows Security Event Logs (event ID 4702) as described in the setup instructions.
• Deploy the Sigma rule provided below to your SIEM to detect unusual scheduled task updates.
• Investigate any alerts generated by this rule to determine if the scheduled task modification is legitimate or malicious.
• Review the references provided to understand the underlying event IDs and attacker techniques related to scheduled tasks.