A scheduled task was updatededit
Indicates the update of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, by changing the configuration of a legit scheduled task. Some changes such as disabling or enabling a scheduled task are common and may may generate noise.
Rule type: eql
Rule indices:
- winlogbeat-*
- logs-system.*
- logs-windows.*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- OS: Windows
- Use Case: Threat Detection
- Tactic: Persistence
Version: 8
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule queryedit
iam where event.action == "scheduled-task-updated" and
/* excluding tasks created by the computer account */
not user.name : "*$" and
not winlog.event_data.TaskName : "*Microsoft*" and
not winlog.event_data.TaskName :
("\\User_Feed_Synchronization-*",
"\\OneDrive Reporting Task-S-1-5-21*",
"\\OneDrive Reporting Task-S-1-12-1-*",
"\\Hewlett-Packard\\HP Web Products Detection",
"\\Hewlett-Packard\\HPDeviceCheck",
"\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant",
"\\IpamDnsProvisioning",
"\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantAllUsersRun",
"\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun",
"\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun",
"\\Microsoft\\Windows\\.NET Framework\\.NET Framework NGEN v*",
"\\Microsoft\\VisualStudio\\Updates\\BackgroundDownload") and
not winlog.event_data.SubjectUserSid : ("S-1-5-18", "S-1-5-19", "S-1-5-20")
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Scheduled Task/Job
- ID: T1053
- Reference URL: https://attack.mitre.org/techniques/T1053/
-
Sub-technique:
- Name: Scheduled Task
- ID: T1053.005
- Reference URL: https://attack.mitre.org/techniques/T1053/005/