Query suspicious programs processed by the Task Scheduler using the Event Log

AID2201251952.YAML

#####aid_begin
#description: identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage.
#id: aid2201251952
#processtype: query
#category: eventlog
#link: <na>
#tacticidlist: <na>
#techniqueidlist: <na>
#compatibleos: |-
#  windows 7
#  windows 8.*
#  windows 10
#  windows 11
#  windows server 2008 r2
#  windows server 2012
#  windows server 2012 r2
#  windows server 2016
#  windows server 2019
#compatibleengine: |-
#  powershell 2
#  powershell 3
#  powershell 4
#  powershell 5.*
#  powershell 7.*
#bgcommandlist: |-
#  format-bgevent
#   1) query the sysmon event log.
#   2) get the schedule task with unusual parent.
#   3) get the local scheduled task creation.
#   4) get the suspicious execution via scheduled task.
#   5) get the persistence via scheduled job file-creation
#   6) get the suspicious schedule task module load
#notes:  |- 
#  adversaries use scheduled tasks to accomplish two primary objectives: maintaining access and executing processes in a specific user context, typically one with elevated privileges. adversaries may abuse the windows task scheduler to perform task scheduling for initial or recurring execution of malicious code. 
#   o event source: sysmon
#   o schema used: "sysmon.schema"
#   o event dataset: "microsoft-windows-sysmon/operational"
#   o eventid's: '1, 7, 11'
#####aid_end
commands:
- Format-BGEvent -Event "Microsoft-Windows-Sysmon/operational" -PropsOnly -MaxEvents 5000 -ID '1,11,7' -Schema "$('{0}\Blubin\Modules\BluGenie\Configs\Schema\Sysmon_1.Schema' -f $ScriptDirectory)" -EQLQuery "generic where true"
- Format-BGEvent -UseInputFile "Last:" -EQLQuery "generic where EventId in (1) and ((process_name == '*\\schtasks.exe' or process_pe_original_file_name == 'schtasks.exe') and wildcard(process_parent_name, '*\\cmd.exe', '*\\wscript.exe', '*\\rundll32.exe', '*\\regsvr32.exe', '*\\wmic.exe', '*\\mshta.exe', '*\\powershell.exe', '*\\pwsh.exe', '*\\powershell_ise.exe', '*\\WmiPrvSe.exe', '*\\wsmprovhost.exe', '*\\winrshost.exe'))"
- Format-BGEvent -UseInputFile "Last:" -EQLQuery "generic where EventId in (1) and ((process_name == '*\\schtasks.exe' or process_pe_original_file_name == 'schtasks.exe') and wildcard(process_command_line, '* /create *', '* -create *') and wildcard(process_command_line, '* /RU *', '* /SC *', '* /TN *', '* /TR *', '* /F *', '* /XML *'))"
- Format-BGEvent -UseInputFile "Last:" -EQLQuery "generic where EventId in (1) and ((process_parent_name == '*\\svchost.exe' and process_parent_command_line == '* Schedule *') and wildcard(process_pe_original_file_name, 'cscript.exe', 'wscript.exe', 'PowerShell.EXE', 'Cmd.Exe', 'MSHTA.EXE', 'RUNDLL32.EXE', 'REGSVR32.EXE', 'MSBuild.exe', 'InstallUtil.exe', 'RegAsm.exe', 'RegSvcs.exe', 'msxsl.exe', 'CONTROL.EXE', 'EXPLORER.EXE', 'Microsoft.Workflow.Compiler.exe', 'msiexec.exe') and wildcard(process_command_line, '*\\Users\\*', '*\\ProgramData\\*', '*\\Windows\\Temp\\*", '*\\Windows\\Tasks\\*', '*\\PerfLogs\\*', '*\\Intel\\*', '*\\Windows\\Debug\\*', '*\\HP\\*'))"
- Format-BGEvent -UseInputFile "Last:" -EQLQuery "generic where EventId in (11) and wildcard(file_path, '*\\Windows\\Tasks\\*.job', '*\\Windows\\System32\\Tasks\\*')"
- Format-BGEvent -UseInputFile "Last:" -EQLQuery "generic where EventId in (7) and (file_path == '*\\taskschd.dll' and wildcard(process.name, '*\\cscript.exe', '*\\wscript.exe', '*\\powershell.exe', '*\\pwsh.exe', '*\\powershell_ise.exe', '*\\eqnedt32.exe', '*\\excel.exe', '*\\fltldr.exe', '*\\msaccess.exe', '*\\mspub.exe', '*\\powerpnt.exe', '*\\winword.exe', '*\\outlook.exe'))"

Last updated