An adversary can move laterally using the schtasks command to remotely schedule tasks. Although these events can be detected with command line analytics CAR-2013-08-001, it is possible for an adversary to use the API directly, via the Task Scheduler GUI or with a scripting language such as PowerShell. In this cases, an additional source of data becomes necessary to detect adversarial behavior. When scheduled tasks are created remotely, Windows uses RPC (135/tcp) to communicate with the Task Scheduler on the remote machine. Once an RPC connection is established (CAR-2014-05-001), the client communicates with the Scheduled Tasks endpoint, which runs within the service group netsvcs. With packet capture and the right packet decoders or byte-stream based signatures, remote invocations of these functions can be identified.

ATT&CK Detection

Technique Tactic Level of Coverage
Scheduled Task Execution Moderate

Pseudocode

Look for RPC traffic after being mapped, which implies a destination port of at least 49152. If network inspection is available via packet captures or a NIDS, then traffic through the ITaskSchedulerService interface can be detected. Microsoft has a list of the possible methods that are implemented for the ITaskSchedulerService interface, which may be useful in differentiating read and query operations from creations and modifications.

flows = search Flow:Message
schtasks_rpc = filter flows where (
 src_port >= 49152 and dest_port >= 49152 and
 proto_info.rpc_interface == "ITaskSchedulerService"
)

output schtasks_rpc

Additional Notes:

Certain strings can be identifiers of the schtasks, by looking up the interface UUID of ITaskSchedulerService in different formats

  • UUID 86d35949-83c9-4044-b424-db363231fd0c (decoded)
  • Hex 49 59 d3 86 c9 83 44 40 b4 24 db 36 32 31 fd 0c (raw)
  • ASCII IYD@$621 (printable bytes only)

This identifier is present three times during the RPC request phase. Any sensor that has access to the byte code as raw, decoded, or ASCII could implement this analytic.

Data Model References

Object Action Field
flow message dest_port
flow message src_port
flow message proto_info