[rule] description = """ Identifies suspicious child processes of the Windows Schedule service. This behavior is consistent with an adversary executing malicious code or commands via an existing scheduled task. """ id = "eb04896b-935f-4d12-b2ad-579db82e1f42" license = "Elastic License v2" name = "Suspicious Windows Schedule Child Process" os_list = ["windows"] version = "1.0.32" query = ''' process where event.action == "start" and process.parent.name == "svchost.exe" and process.parent.args == "Schedule" and process.hash.sha256 != null and ( /* non noisy child processes */ process.pe.original_file_name : ("MSHTA.EXE", "MSBuild.exe", "InstallUtil.exe") or /* suspicious path */ (process.executable : ("?:\\Users\\Public\\*", "?:\\Windows\\Tasks\\*", "?:\\Windows\\system32\\tasks\\*") and process.hash.sha256 != null and (process.Ext.relative_file_creation_time <= 500 or process.Ext.relative_file_name_modify_time <= 500)) or /* potentially noisy child processes */ /* Powershell with encoded long command_line */ (process.pe.original_file_name == "PowerShellx.EXE" and length(process.command_line) >= 200 and process.command_line : ("* -enc*", "* -e *")) or /* Powershell with common suspicious args */ (process.pe.original_file_name == "PowerShell.EXE" and process.command_line : ("bypass", "*HKCU*", "* IEX*", "*^*^*^*^*^*^*^*", "*.replace*", "*Reflection.Assembly*", "*set *set *set *", "*Frombase64String*", "*::Load*")) or /* Windows Command Shell */ (process.pe.original_file_name == "Cmd.Exe" and not user.id == "S-1-5-18" and process.args : ("?:\\Users\\Public\\*", "?:\\Users\\*\\AppData\\*", "?:\\Windows\\Temp\\*", "?:\\Windows\\Tasks\\*", "?:\\Windows\\system32\\tasks\\*") and not (process.args : "?:\\Users\\*\\AppData\\Local\\IBM\\Notes\\Data\\Cache.NDK" and process.args : "del")) or /* Rundll32 running DLL from a user writable folder or with DLL export by ordinal */ (process.pe.original_file_name == "RUNDLL32.EXE" and process.args : ("?:\\Users\\*", "?:\\ProgramData\\*", "?:\\Windows\\Temp\\*", "*,#*")) or /* unsiged and from users writable folders */ (process.code_signature.exists == false and (process.Ext.relative_file_creation_time <= 500 or process.Ext.relative_file_name_modify_time <= 500) and process.executable : ("?:\\Users\\*", "?:\\ProgramData\\*", "?:\\Windows\\Temp\\*", "?:\\Windows\\Tasks\\*", "?:\\Windows\\system32\\tasks\\*")) ) and /* noisy patterns */ not (process.name : "powershell.exe" and process.args : "https://*.accellis.com*" and process.args : "-Locationid") and not (process.name : "powershell.exe" and user.id == "S-1-5-18" and process.args: ("*Get-AuthenticodeSignature*", "LTService", "LTSvcMon", "?:\\Adminbatch\\scripts\\winrm-https-listener-setup.ps1")) and not (process.name : "powershell.exe" and process.args == "-UseBasicParsing" and process.args == "-UserAgent" and user.id == "S-1-5-18") and not (process.pe.original_file_name in ("SigniantApp.exe", "G2M.exe", "DragonCenter_Updater.exe", "msedgeupdate.dll", "msrdcw.exe") and process.code_signature.subject_name in ("Signiant Corporation", "LogMeIn, Inc.", "Micro-Star International CO., LTD.", "Microsoft Corporation")) and not (process.pe.original_file_name == "OneDriveStandaloneUpdater.exe" and process.executable : "?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDriveStandaloneUpdater.exe") and /* many signed legit third party programs executed as scheduled task */ not (process.code_signature.trusted == true and process.executable : "?:\\Users\\*\\AppData\\*") and not process.code_signature.subject_name in ("win.acme.simple@gmail.com", "NCH Software, Inc.", "RealNetworks, Inc.", "WATERFOX LIMITED", "YY Inc.", "web discover", "WACS", "Western Digital Technologies, Inc.") and not process.hash.sha256 : ("18fb4e476f670b532d5227fc8ff9d7d55c151102875d64e80f2dc0cbd569861c", "3a87ed304e359392da91bc39cb17af379dcd906c045ffcc4d715086d766acfbc", "c0593b4b65bb264a982d61a7b84f38b10a41972b49a217ef3a80a906a0c4ee08", "41512ecc47bb39b9f39c808f89ab23df4a4e88e414215553b825e140a4509946", "cee7f094fc78679b673f07702cfd403b540e537de8d5b9c6c98e2b24610f9805", "15eaff644e9a34e49997d57c4c21ce18dab4714321a62eae4252bd8eca1f3f9d", "fe0ecd844393d78026fd41a5b5bb9ab577a483ec1c290566a3fbdbf52fb24fc5", "053c6a0f59672b06e9ebccff18f2517780ff4c77ada25ac3eee1f2c4a24e8aea", "1a6b98956fb92a8a57b56feeef6fedc26b95c809526374f6e7c22acd8e3925c3", "554fa8a3bf2e233f64d9e000bf30f197159406fbfa9920adca0901a265e45379", "fb0ecac0bd7b8f3d81dffb359fb1449fc3cb74a15a1f53a568c1c5ee5a8966a9", "cf635f97d0a3bea30f348277777f36db6b14aea0e7711471e5fb2e13167b80cd", "22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f") and not process.executable : ("?:\\Users\\*\\AppData\\Local\\GoToMeeting\\*\\g2mupload.exe", "?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDriveStandaloneUpdater.exe", "?:\\Users\\*\\AppData\\Local\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe", "?:\\Users\\*\\AppData\\Local\\Google\\Update\\GoogleUpdate.exe") and not (process.name : "powershell.exe" and process.args : ("Invoke-WebRequest http://sms.revize.com/*", "Import-Module PSScheduledJob; $jobDef*")) and not (process.name : ("rundll32.exe", "regsvr32.exe") and process.args : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*", "?:\\windows\\system32\\mmcndmgr.dll", "dfshim.dll,ShOpenVerbShortcut", "Files\\McAfee\\Agent\\\\ma_aac_service.dll,", "?:\\ProgramData\\Lenovo\\Vantage\\Addins\\ThinkSpectrumAddin\\*\\Spectrum_Core.dll,RunDLL", "?:\\Windows\\System32\\dfshim.dll,ShOpenVerbApplication")) and not (process.name : "cmd.exe" and process.args : ("C:\\Users\\Public\\SageBackup-Phoenix.bat", "C:\\Users\\Public\\InvisibleTimerbatch.bat", "rmdir")) and not (process.name : "mshta.exe" and process.args : "\"& '\\\\*\\Support\\AzureVirtualDesktop\\ImageSources\\DisableTeamsAutoStart.ps1'\"\", 0 : window.close)") ''' min_endpoint_version = "8.4.0" optional_actions = [] [[actions]] action = "kill_process" field = "process.entity_id" state = 0 [[threat]] framework = "MITRE ATT&CK" [[threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" [[threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" [[threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" [[threat.technique.subtechnique]] id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" [threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" [[threat]] framework = "MITRE ATT&CK" [[threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" [[threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" [threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" [[threat]] framework = "MITRE ATT&CK" [[threat.technique]] id = "T1216" name = "System Script Proxy Execution" reference = "https://attack.mitre.org/techniques/T1216/" [[threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" [[threat.technique.subtechnique]] id = "T1218.003" name = "CMSTP" reference = "https://attack.mitre.org/techniques/T1218/003/" [[threat.technique.subtechnique]] id = "T1218.004" name = "InstallUtil" reference = "https://attack.mitre.org/techniques/T1218/004/" [[threat.technique.subtechnique]] id = "T1218.005" name = "Mshta" reference = "https://attack.mitre.org/techniques/T1218/005/" [[threat.technique.subtechnique]] id = "T1218.009" name = "Regsvcs/Regasm" reference = "https://attack.mitre.org/techniques/T1218/009/" [[threat.technique.subtechnique]] id = "T1218.010" name = "Regsvr32" reference = "https://attack.mitre.org/techniques/T1218/010/" [[threat.technique.subtechnique]] id = "T1218.011" name = "Rundll32" reference = "https://attack.mitre.org/techniques/T1218/011/" [[threat.technique]] id = "T1220" name = "XSL Script Processing" reference = "https://attack.mitre.org/techniques/T1220/" [threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" [internal] min_endpoint_version = "8.4.0"