Try in Splunk Security Cloud

Description

This search looks for flags passed to schtasks.exe on the command-line that indicate a task was created via command like. This has been associated with the Dragonfly threat actor, and the SUNBURST attack against Solarwinds.

  • Type: TTP
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2020-12-17
  • Author: Bhavin Patel, Splunk
  • ID: d5af132c-7c17-439c-9d31-13d55340f36c

ATT&CK

ID Technique Tactic
T1053.005 Scheduled Task Execution, Persistence, Privilege Escalation

| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe (Processes.process=*delete* OR Processes.process=*create*) by Processes.user Processes.process_name Processes.parent_process_name Processes.dest 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `scheduled_task_deleted_or_created_via_cmd_filter` 

Associated Analytic Story

How To Implement

You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the "process" field in the Endpoint data model.

Required field

  • _time
  • Processes.process
  • Processes.parent_process
  • Processes.process_name
  • Processes.user
  • Processes.parent_process_name
  • Processes.dest

Kill Chain Phase

  • Actions on Objectives

Known False Positives

Tasks should not be manually created via CLI, this is rarely done by admins as well

RBA

Risk Score Impact Confidence Message
56.0 70 80 A schedule task process $process_name$ with create or delete commandline $process$ in host $dest$

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 5