CAR-2020-09-001: Scheduled Task - FileAccess
In order to gain persistence, privilege escalation, or remote execution, an adversary may use the Windows Task Scheduler to schedule a command to be run at a specified time, date, and even host. Task Scheduler stores tasks as files in two locations - C:\Windows\Tasks (legacy) or C:\Windows\System32\Tasks. Accordingly, this analytic looks for the creation of task files in these two locations.
ATT&CK Detections
| Technique | Subtechnique(s) | Tactic(s) | Level of Coverage |
|---|---|---|---|
| Scheduled Task/Job | Scheduled Task | Execution, Persistence, Privilege Escalation | Low |
D3FEND Techniques
| ID | Name |
|---|---|
| D3-FCA | File Creation Analysis |
Data Model References
| Object | Action | Field |
|---|---|---|
| file | create | file_path |
| file | create | image_path |
Implementations
Pseudocode - Windows task file creation (Pseudocode, CAR native)
This is a pseudocode representation of the below splunk search.
files = search File:Create
task_files = filter files where (
(file_path = "C:\Windows\System32\Tasks\*" or file_path = "C:\Windows\Tasks\*") and
image_path != "C:\WINDOWS\system32\svchost.exe")
output task_files
Splunk search - Windows task file creation (Splunk, Sysmon native)
This Splunk search looks for any files created under the Windows tasks directories.
index=__your_sysmon_index__ EventCode=11 Image!="C:\\WINDOWS\\system32\\svchost.exe" (TargetFilename="C:\\Windows\\System32\\Tasks\\
*" OR TargetFilename="C:\\Windows\\Tasks\\*")
LogPoint search - Windows task file creation (Logpoint, LogPoint native)
This LogPoint search looks for any files created under the Windows tasks directories.
norm_id=WindowsSysmon event_id=11 -source_image="C:\WINDOWS\system32\svchost.exe" (path="C:\Windows\System32\Tasks*" OR path="C:\Windows\Tasks*")