Detection: Suspicious Scheduled Task from Public Directory

Updated Date: 2024-09-30 ID: 7feb7972-7ac3-11eb-bac8-acde48001122 Author: Michael Haag, Splunk Type: Anomaly Product: Splunk Enterprise Security

Description

The following analytic identifies the creation of scheduled tasks that execute binaries or scripts from public directories, such as users\public, \programdata, or \windows\temp, using schtasks.exe with the /create command. It leverages Sysmon Event ID 1 data to detect this behavior. This activity is significant because it often indicates an attempt to maintain persistence or execute malicious scripts, which are common tactics in malware deployment. If confirmed as malicious, this could lead to data compromise, unauthorized access, and potential lateral movement within the network.

Search

1
2| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe (Processes.process=*\\users\\public\\* OR Processes.process=*\\programdata\\* OR Processes.process=*windows\\temp*)  Processes.process=*/create* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id 
3| `drop_dm_object_name(Processes)` 
4| `security_content_ctime(firstTime)`
5| `security_content_ctime(lastTime)`
6| `suspicious_scheduled_task_from_public_directory_filter`

Data Source

Name	Platform	Sourcetype	Source
CrowdStrike ProcessRollup2	N/A	`'crowdstrike:events:sensor'`	`'crowdstrike'`
Sysmon EventID 1	Windows	`'xmlwineventlog'`	`'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'`
Windows Event Log Security 4688	Windows	`'xmlwineventlog'`	`'XmlWinEventLog:Security'`

Macros Used

Name	Value
security_content_ctime	`convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)`
suspicious_scheduled_task_from_public_directory_filter	`search *`

suspicious_scheduled_task_from_public_directory_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1053.005	Scheduled Task	Execution
T1053	Scheduled Task/Job	Persistence

KillChainPhase.EXPLOITAITON

KillChainPhase.INSTALLATION

NistCategory.DE_AE

Cis18Value.CIS_10

APT-C-36

APT29

APT3

APT32

APT33

APT37

APT38

APT39

APT41

BITTER

BRONZE BUTLER

Blue Mockingbird

Chimera

Cobalt Group

Confucius

Daggerfly

Dragonfly

Ember Bear

FIN10

FIN13

FIN6

FIN7

FIN8

Fox Kitten

GALLIUM

Gamaredon Group

HEXANE

Higaisa

Kimsuky

Lazarus Group

LuminousMoth

Machete

Magic Hound

Molerats

Moonstone Sleet

MuddyWater

Mustang Panda

Naikon

OilRig

Patchwork

Rancor

RedCurl

Sandworm Team

Silence

Stealth Falcon

TA2541

ToddyCat

Winter Vivern

Wizard Spider

menuPass

Earth Lusca

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Risk Event	True

This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.

Implementation

The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the Processes node of the Endpoint data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.

Known False Positives

The main source of false positives could be the legitimate use of scheduled tasks from these directories. Careful tuning of this search may be necessary to suit the specifics of your environment, reducing the rate of false positives.

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message	Risk Score	Impact	Confidence
Suspicious scheduled task registered on $dest$ from Public Directory	35	70	50

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

References

https://attack.mitre.org/techniques/T1053/005/

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	✅ Passing	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`	`XmlWinEventLog`
Integration	✅ Passing	Dataset	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`	`XmlWinEventLog`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 3