WinEvent Scheduled Task Created to Spawn Shell
Description
The following query utilizes Windows Security EventCode 4698, indicating 'a scheduled task was created', to identify potentially suspicious tasks. These tasks may be registered on Windows through either schtasks.exe or TaskService, and are set up to execute a command with a native Windows shell such as PowerShell, Cmd, Wscript, or Cscript.
The search will return the initial and final times the task was registered, along with details like the 'Command' set to be executed, 'Task Name', 'Author', whether it's 'Enabled', and if it is 'Hidden'.
Schtasks.exe is typically found in C:\Windows\system32 and C:\Windows\syswow64. The DLL 'taskschd.dll' is loaded when either schtasks.exe or TaskService is launched. If this DLL is found loaded by another process, it's possible that a scheduled task is being registered within the context of that process in memory.
During triage, it's essential to identify the source of the scheduled task. Was it registered via schtasks.exe or TaskService? Review the job that was created and the command set to be executed. It's also recommended to capture and review any artifacts on disk, and identify any parallel processes within the same timeframe to locate the source.
- Type: TTP
-
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2023-04-05
- Author: Michael Haag, Splunk
- ID: 203ef0ea-9bd8-11eb-8201-acde48001122
Annotations
ATT&CK
Kill Chain Phase
- Installation
- Exploitation
NIST
- DE.CM
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
6
7
`wineventlog_security` EventCode=4698
| xmlkv Message
| search Command IN ("*powershell.exe*", "*wscript.exe*", "*cscript.exe*", "*cmd.exe*", "*sh.exe*", "*ksh.exe*", "*zsh.exe*", "*bash.exe*", "*scrcons.exe*", "*pwsh.exe*")
| stats count min(_time) as firstTime max(_time) as lastTime by dest, Task_Name, Command, Author, Enabled, Hidden
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `winevent_scheduled_task_created_to_spawn_shell_filter`
Macros
The SPL above uses the following Macros:
winevent_scheduled_task_created_to_spawn_shell_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- _time
- dest
- Task_Name
- Description
- Command
How To Implement
To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required.
Known False Positives
False positives are possible if legitimate applications are allowed to register tasks that call a shell to be spawned. Filter as needed based on command-line or processes that are used legitimately.
Associated Analytic Story
- Ransomware
- Windows Persistence Techniques
- Winter Vivern
- Ryuk Ransomware
- CISA AA22-257A
- Scheduled Tasks
- Windows Error Reporting Service Elevation of Privilege Vulnerability
RBA
| Risk Score | Impact | Confidence | Message |
|---|---|---|---|
| 70.0 | 70 | 100 | A windows scheduled task was created (task name=$Task_Name$) on $dest$ by the following command: $Command$ |
Reference
- https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4698
- https://redcanary.com/threat-detection-report/techniques/scheduled-task-job/
- https://docs.microsoft.com/en-us/windows/win32/taskschd/time-trigger-example–scripting-?redirectedfrom=MSDN
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 2