Skip to content

[Rule Tuning] Unusual Scheduled Task Update #4714

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

[Rule Tuning] Unusual Scheduled Task Update #4714

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1b42950
[Rule Tuning] Unusual Scheduled Task Update
w0rk3r May 9, 2025
9c2f4d2
Update persistence_scheduled_task_updated.toml
w0rk3r May 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
81 changes: 18 additions & 63 deletions rules/windows/persistence_scheduled_task_updated.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,89 +2,37 @@
creation_date = "2022/08/29"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2025/05/09"

[rule]
author = ["Elastic"]
description = """
Indicates the update of a scheduled task using Windows event logs. Adversaries can use these to establish persistence,
by changing the configuration of a legit scheduled task. Some changes such as disabling or enabling a scheduled task are
common and may may generate noise.
Identifies first-time modifications to scheduled tasks by user accounts, excluding system activity and machine accounts.
"""
false_positives = ["Legitimate scheduled tasks may be created during installation of new software."]
from = "now-9m"
index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
language = "eql"
language = "kuery"
license = "Elastic License v2"
name = "A scheduled task was updated"
note = """## Triage and analysis

> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

### Investigating A scheduled task was updated

Scheduled tasks in Windows automate routine tasks, enhancing efficiency. However, adversaries exploit this by modifying tasks to maintain persistence, often altering legitimate tasks to evade detection. The detection rule identifies suspicious updates by filtering out benign changes, such as those by system accounts or known safe tasks, focusing on anomalies that suggest malicious intent.

### Possible investigation steps

- Review the event logs to identify the specific scheduled task that was updated, focusing on the winlog.event_data.TaskName field to determine if it matches any known malicious patterns.
- Investigate the user account associated with the update by examining the user.name field to ensure it is not a compromised account or an unauthorized user.
- Check the winlog.event_data.SubjectUserSid field to verify if the update was made by a system account or a potentially malicious user, as system accounts like S-1-5-18, S-1-5-19, and S-1-5-20 are typically benign.
- Analyze the history of changes to the scheduled task to identify any unusual or unauthorized modifications that could indicate persistence mechanisms.
- Correlate the scheduled task update with other security events or alerts to determine if it is part of a broader attack pattern or campaign.

### False positive analysis

- Scheduled tasks updated by system accounts can be false positives. Exclude updates made by system accounts by filtering out user names ending with a dollar sign.
- Legitimate Microsoft tasks often update automatically. Exclude tasks with names containing "Microsoft" to reduce noise from these updates.
- Commonly updated tasks like User Feed Synchronization and OneDrive Reporting are typically benign. Exclude these specific task names to avoid unnecessary alerts.
- Tasks updated by well-known service SIDs such as S-1-5-18, S-1-5-19, and S-1-5-20 are generally safe. Exclude these SIDs to prevent false positives from routine system operations.

### Response and remediation

- Immediately isolate the affected system from the network to prevent further malicious activity and lateral movement.
- Review the specific scheduled task that was updated to determine if it was altered by an unauthorized user or process. Revert any unauthorized changes to their original state.
- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any malicious software that may have been introduced.
- Analyze the user account that made the changes to the scheduled task. If the account is compromised, reset the password and review recent activities for further signs of compromise.
- Implement additional monitoring on the affected system and similar systems to detect any further unauthorized scheduled task updates or related suspicious activities.
- Escalate the incident to the security operations team for further investigation and to determine if the threat is part of a larger attack campaign.
- Review and update access controls and permissions related to scheduled tasks to ensure only authorized personnel can make changes, reducing the risk of future unauthorized modifications."""
name = "Unusual Scheduled Task Update"
references = ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698"]
risk_score = 47
risk_score = 21
rule_id = "a02cb68e-7c93-48d1-93b2-2c39023308eb"
severity = "medium"
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Persistence",
"Data Source: Windows Security Event Logs",
"Resources: Investigation Guide",
"Data Source: Windows Security Event Logs"
]
timestamp_override = "event.ingested"
type = "eql"
type = "new_terms"

query = '''
iam where event.action == "scheduled-task-updated" and

/* excluding tasks created by the computer account */
not user.name : "*$" and
not winlog.event_data.TaskName : "*Microsoft*" and
not winlog.event_data.TaskName :
("\\User_Feed_Synchronization-*",
"\\OneDrive Reporting Task-S-1-5-21*",
"\\OneDrive Reporting Task-S-1-12-1-*",
"\\Hewlett-Packard\\HP Web Products Detection",
"\\Hewlett-Packard\\HPDeviceCheck",
"\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant",
"\\IpamDnsProvisioning",
"\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantAllUsersRun",
"\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun",
"\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun",
"\\Microsoft\\Windows\\.NET Framework\\.NET Framework NGEN v*",
"\\Microsoft\\VisualStudio\\Updates\\BackgroundDownload") and
not winlog.event_data.SubjectUserSid : ("S-1-5-18", "S-1-5-19", "S-1-5-20")
event.category: "iam" and event.code: "4702" and
not winlog.event_data.SubjectUserSid: ("S-1-5-18" or "S-1-5-19" or "S-1-5-20") and
not user.name : *$
'''


Expand All @@ -106,3 +54,10 @@ id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"

[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "winlog.event_data.TaskName"]

[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-14d"
Loading