From 752b060d7e43a6804257d4466300a01917176a1a Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Mon, 12 Jun 2023 15:11:25 -0600 Subject: [PATCH 1/6] Haags are Forever --- ...add_files_in_known_crontab_directories.yml | 1 + ...ux_adding_crontab_using_list_parameter.yml | 1 + .../linux_at_allow_config_file_creation.yml | 1 + .../linux_at_application_execution.yml | 1 + .../linux_edit_cron_table_parameter.yml | 1 + ...append_command_to_at_allow_config_file.yml | 1 + ...cronjob_entry_on_existing_cronjob_file.yml | 1 + ...sible_cronjob_modification_with_editor.yml | 1 + ...vice_file_created_in_systemd_directory.yml | 1 + .../endpoint/linux_service_restarted.yml | 1 + .../linux_service_started_or_enabled.yml | 1 + ...ible_lateral_movement_powershell_spawn.yml | 1 + ...randomly_generated_scheduled_task_name.yml | 1 + ...edule_task_with_http_command_arguments.yml | 1 + ...ule_task_with_rundll32_command_trigger.yml | 1 + ...k_creation_on_remote_endpoint_using_at.yml | 1 + ...eduled_task_deleted_or_created_via_cmd.yml | 1 + ...led_task_initiation_on_remote_endpoint.yml | 1 + .../endpoint/schtasks_run_task_on_demand.yml | 1 + ...htasks_scheduling_job_on_remote_system.yml | 1 + .../schtasks_used_for_forcing_a_reboot.yml | 1 + .../endpoint/short_lived_scheduled_task.yml | 1 + ...s_scheduled_task_from_public_directory.yml | 1 + ...svchost_lolbas_execution_process_spawn.yml | 1 + ...enable_win32_scheduledjob_via_registry.yml | 1 + .../windows_hidden_schedule_task_settings.yml | 1 + .../windows_powershell_scheduletask.yml | 58 +++++++++++++++++++ .../windows_registry_delete_task_sd.yml | 1 + ...windows_scheduled_task_created_via_xml.yml | 1 + ...scheduled_task_with_highest_privileges.yml | 1 + .../windows_schtasks_create_run_as_system.yml | 1 + ..._scheduled_task_created_to_spawn_shell.yml | 1 + ...eduled_task_created_within_public_path.yml | 1 + ...ws_task_scheduler_event_action_started.yml | 1 + stories/scheduled_tasks.yml | 33 +++++++++++ 35 files changed, 124 insertions(+) create mode 100644 detections/endpoint/windows_powershell_scheduletask.yml create mode 100644 stories/scheduled_tasks.yml diff --git a/detections/endpoint/linux_add_files_in_known_crontab_directories.yml b/detections/endpoint/linux_add_files_in_known_crontab_directories.yml index 8a55361ee5..fb84be2bc3 100644 --- a/detections/endpoint/linux_add_files_in_known_crontab_directories.yml +++ b/detections/endpoint/linux_add_files_in_known_crontab_directories.yml @@ -33,6 +33,7 @@ tags: - Linux Privilege Escalation - Linux Persistence Techniques - Linux Living Off The Land + - Scheduled Tasks asset_type: Endpoint confidence: 50 impact: 50 diff --git a/detections/endpoint/linux_adding_crontab_using_list_parameter.yml b/detections/endpoint/linux_adding_crontab_using_list_parameter.yml index 46d9e3e62f..bc29dd9ebe 100644 --- a/detections/endpoint/linux_adding_crontab_using_list_parameter.yml +++ b/detections/endpoint/linux_adding_crontab_using_list_parameter.yml @@ -34,6 +34,7 @@ tags: - Linux Living Off The Land - Data Destruction - Linux Persistence Techniques + - Scheduled Tasks asset_type: Endpoint confidence: 50 impact: 50 diff --git a/detections/endpoint/linux_at_allow_config_file_creation.yml b/detections/endpoint/linux_at_allow_config_file_creation.yml index e42f274ea0..3cbcc8ed91 100644 --- a/detections/endpoint/linux_at_allow_config_file_creation.yml +++ b/detections/endpoint/linux_at_allow_config_file_creation.yml @@ -33,6 +33,7 @@ tags: - Linux Privilege Escalation - Linux Persistence Techniques - Linux Living Off The Land + - Scheduled Tasks asset_type: Endpoint confidence: 50 impact: 50 diff --git a/detections/endpoint/linux_at_application_execution.yml b/detections/endpoint/linux_at_application_execution.yml index 15ba992369..56429c397a 100644 --- a/detections/endpoint/linux_at_application_execution.yml +++ b/detections/endpoint/linux_at_application_execution.yml @@ -33,6 +33,7 @@ tags: - Linux Privilege Escalation - Linux Persistence Techniques - Linux Living Off The Land + - Scheduled Tasks asset_type: Endpoint confidence: 30 impact: 30 diff --git a/detections/endpoint/linux_edit_cron_table_parameter.yml b/detections/endpoint/linux_edit_cron_table_parameter.yml index d89ccf0a3b..e2df59751d 100644 --- a/detections/endpoint/linux_edit_cron_table_parameter.yml +++ b/detections/endpoint/linux_edit_cron_table_parameter.yml @@ -31,6 +31,7 @@ tags: - Linux Privilege Escalation - Linux Persistence Techniques - Linux Living Off The Land + - Scheduled Tasks asset_type: Endpoint confidence: 30 impact: 30 diff --git a/detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml b/detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml index a29011ce4e..904427582a 100644 --- a/detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml +++ b/detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml @@ -34,6 +34,7 @@ tags: analytic_story: - Linux Privilege Escalation - Linux Persistence Techniques + - Scheduled Tasks asset_type: Endpoint confidence: 30 impact: 30 diff --git a/detections/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml b/detections/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml index 66944b0984..16e2eb89c7 100644 --- a/detections/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml +++ b/detections/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml @@ -32,6 +32,7 @@ tags: - Linux Privilege Escalation - Linux Persistence Techniques - Linux Living Off The Land + - Scheduled Tasks asset_type: Endpoint confidence: 70 impact: 70 diff --git a/detections/endpoint/linux_possible_cronjob_modification_with_editor.yml b/detections/endpoint/linux_possible_cronjob_modification_with_editor.yml index 4d7e87f7c5..20e891f9ed 100644 --- a/detections/endpoint/linux_possible_cronjob_modification_with_editor.yml +++ b/detections/endpoint/linux_possible_cronjob_modification_with_editor.yml @@ -31,6 +31,7 @@ tags: - Linux Privilege Escalation - Linux Persistence Techniques - Linux Living Off The Land + - Scheduled Tasks asset_type: Endpoint confidence: 30 impact: 20 diff --git a/detections/endpoint/linux_service_file_created_in_systemd_directory.yml b/detections/endpoint/linux_service_file_created_in_systemd_directory.yml index 9173bf99cb..42255fac6f 100644 --- a/detections/endpoint/linux_service_file_created_in_systemd_directory.yml +++ b/detections/endpoint/linux_service_file_created_in_systemd_directory.yml @@ -38,6 +38,7 @@ tags: - Linux Privilege Escalation - Linux Persistence Techniques - Linux Living Off The Land + - Scheduled Tasks asset_type: Endpoint confidence: 80 impact: 80 diff --git a/detections/endpoint/linux_service_restarted.yml b/detections/endpoint/linux_service_restarted.yml index a1182439ee..408bc6d582 100644 --- a/detections/endpoint/linux_service_restarted.yml +++ b/detections/endpoint/linux_service_restarted.yml @@ -38,6 +38,7 @@ tags: - Linux Living Off The Land - Data Destruction - Linux Persistence Techniques + - Scheduled Tasks asset_type: Endpoint confidence: 50 impact: 50 diff --git a/detections/endpoint/linux_service_started_or_enabled.yml b/detections/endpoint/linux_service_started_or_enabled.yml index 9aea30ae41..3b0f211de4 100644 --- a/detections/endpoint/linux_service_started_or_enabled.yml +++ b/detections/endpoint/linux_service_started_or_enabled.yml @@ -36,6 +36,7 @@ tags: - Linux Privilege Escalation - Linux Persistence Techniques - Linux Living Off The Land + - Scheduled Tasks asset_type: Endpoint confidence: 70 impact: 60 diff --git a/detections/endpoint/possible_lateral_movement_powershell_spawn.yml b/detections/endpoint/possible_lateral_movement_powershell_spawn.yml index f04f4f1268..770a78ad26 100644 --- a/detections/endpoint/possible_lateral_movement_powershell_spawn.yml +++ b/detections/endpoint/possible_lateral_movement_powershell_spawn.yml @@ -42,6 +42,7 @@ tags: - Malicious PowerShell - Hermetic Wiper - Data Destruction + - Scheduled Tasks asset_type: Endpoint confidence: 50 impact: 90 diff --git a/detections/endpoint/randomly_generated_scheduled_task_name.yml b/detections/endpoint/randomly_generated_scheduled_task_name.yml index 6036dc7ebe..f638a67922 100644 --- a/detections/endpoint/randomly_generated_scheduled_task_name.yml +++ b/detections/endpoint/randomly_generated_scheduled_task_name.yml @@ -33,6 +33,7 @@ tags: analytic_story: - Active Directory Lateral Movement - CISA AA22-257A + - Scheduled Tasks asset_type: Endpoint confidence: 50 impact: 90 diff --git a/detections/endpoint/schedule_task_with_http_command_arguments.yml b/detections/endpoint/schedule_task_with_http_command_arguments.yml index 1849d66731..02adbbc9c0 100644 --- a/detections/endpoint/schedule_task_with_http_command_arguments.yml +++ b/detections/endpoint/schedule_task_with_http_command_arguments.yml @@ -36,6 +36,7 @@ tags: - Living Off The Land - Winter Vivern - Windows Persistence Techniques + - Scheduled Tasks asset_type: Endpoint confidence: 90 impact: 70 diff --git a/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml b/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml index 392b2446cf..5bb19280c7 100644 --- a/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml +++ b/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml @@ -38,6 +38,7 @@ tags: - Trickbot - IcedID - Living Off The Land + - Scheduled Tasks asset_type: Endpoint confidence: 100 impact: 70 diff --git a/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml b/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml index 37e21d1f20..16f36e36c8 100644 --- a/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml +++ b/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml @@ -32,6 +32,7 @@ tags: analytic_story: - Active Directory Lateral Movement - Living Off The Land + - Scheduled Tasks asset_type: Endpoint confidence: 60 impact: 90 diff --git a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml index 52deb76332..de24543233 100644 --- a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml +++ b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml @@ -43,6 +43,7 @@ tags: - CISA AA22-257A - DHS Report TA18-074A - Azorult + - Scheduled Tasks asset_type: Endpoint confidence: 80 impact: 70 diff --git a/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml b/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml index d3b1fa7450..06cb1555fb 100644 --- a/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml +++ b/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml @@ -29,6 +29,7 @@ tags: analytic_story: - Active Directory Lateral Movement - Living Off The Land + - Scheduled Tasks asset_type: Endpoint confidence: 60 impact: 90 diff --git a/detections/endpoint/schtasks_run_task_on_demand.yml b/detections/endpoint/schtasks_run_task_on_demand.yml index e37c88482a..db64a5067f 100644 --- a/detections/endpoint/schtasks_run_task_on_demand.yml +++ b/detections/endpoint/schtasks_run_task_on_demand.yml @@ -32,6 +32,7 @@ tags: - XMRig - CISA AA22-257A - Data Destruction + - Scheduled Tasks asset_type: Endpoint confidence: 80 impact: 60 diff --git a/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml b/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml index 0b24614978..0b8d9e2cb6 100644 --- a/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml +++ b/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml @@ -32,6 +32,7 @@ tags: - NOBELIUM Group - Living Off The Land - Prestige Ransomware + - Scheduled Tasks asset_type: Endpoint confidence: 90 impact: 70 diff --git a/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml b/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml index b40f3a8328..eb41362f0f 100644 --- a/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml +++ b/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml @@ -27,6 +27,7 @@ tags: analytic_story: - Windows Persistence Techniques - Ransomware + - Scheduled Tasks asset_type: Endpoint confidence: 80 impact: 70 diff --git a/detections/endpoint/short_lived_scheduled_task.yml b/detections/endpoint/short_lived_scheduled_task.yml index 45b3cc68ae..d2fdba7e8d 100644 --- a/detections/endpoint/short_lived_scheduled_task.yml +++ b/detections/endpoint/short_lived_scheduled_task.yml @@ -29,6 +29,7 @@ tags: analytic_story: - Active Directory Lateral Movement - CISA AA22-257A + - Scheduled Tasks asset_type: Endpoint confidence: 90 impact: 90 diff --git a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml index f67f65f5cd..1fd8d95f42 100644 --- a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml +++ b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml @@ -35,6 +35,7 @@ tags: - Living Off The Land - Azorult - DarkCrystal RAT + - Scheduled Tasks asset_type: Endpoint confidence: 50 impact: 70 diff --git a/detections/endpoint/svchost_lolbas_execution_process_spawn.yml b/detections/endpoint/svchost_lolbas_execution_process_spawn.yml index 5db07aa0e3..013b7d2a4f 100644 --- a/detections/endpoint/svchost_lolbas_execution_process_spawn.yml +++ b/detections/endpoint/svchost_lolbas_execution_process_spawn.yml @@ -42,6 +42,7 @@ tags: analytic_story: - Active Directory Lateral Movement - Living Off The Land + - Scheduled Tasks asset_type: Endpoint confidence: 60 impact: 90 diff --git a/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml b/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml index 592a00696f..8bee2ba085 100644 --- a/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml +++ b/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml @@ -22,6 +22,7 @@ references: tags: analytic_story: - Active Directory Lateral Movement + - Scheduled Tasks asset_type: Endpoint confidence: 50 impact: 50 diff --git a/detections/endpoint/windows_hidden_schedule_task_settings.yml b/detections/endpoint/windows_hidden_schedule_task_settings.yml index cda87bdaaa..8ec8fddb6f 100644 --- a/detections/endpoint/windows_hidden_schedule_task_settings.yml +++ b/detections/endpoint/windows_hidden_schedule_task_settings.yml @@ -29,6 +29,7 @@ tags: - Active Directory Discovery - Industroyer2 - Data Destruction + - Scheduled Tasks asset_type: Endpoint confidence: 80 impact: 80 diff --git a/detections/endpoint/windows_powershell_scheduletask.yml b/detections/endpoint/windows_powershell_scheduletask.yml new file mode 100644 index 0000000000..b3ff023b0b --- /dev/null +++ b/detections/endpoint/windows_powershell_scheduletask.yml @@ -0,0 +1,58 @@ +name: 'Windows PowerShell ScheduleTask' +id: ddf82fcb-e9ee-40e3-8712-a50b5bf323fc +version: 1 +date: '2023-06-12' +author: Michael Haag, Splunk +status: production +type: Anomaly +data_source: +- UPDATE_DATA_SOURCE +description: UPDATE_DESCRIPTION +search: '`powershell` EventCode=4104 ScriptBlockText IN ("*New-ScheduledTask*", "*New-ScheduledTaskAction*", "*New-ScheduledTaskSettingsSet*", "*New-ScheduledTaskTrigger*", "*Register-ClusteredScheduledTask*", "*Register-ScheduledTask*", "*Set-ClusteredScheduledTask*", "*Set-ScheduledTask*", "*Start-ScheduledTask*", "*Enable-ScheduledTask*") + | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_powershell_scheduletask_filter`' +how_to_implement: UPDATE_HOW_TO_IMPLEMENT +known_false_positives: UPDATE_KNOWN_FALSE_POSITIVES +references: +- https://learn.microsoft.com/en-us/powershell/module/scheduledtasks/?view=windowsserver2022-ps +- https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/ +tags: + analytic_story: + - Scheduled Tasks + asset_type: Endpoint + atomic_guid: + - af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd + confidence: 50 + impact: 50 + message: The PowerShell cmdlets related to task creation, modification and start occurred on $Computer$ by $User$. + mitre_attack_id: + - T1053.005 + - T1059.001 + - T1059 + observable: + - name: Computer + type: Hostname + role: + - Victim + - name: User + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - ScriptBlockText + - Computer + - EventCode + security_domain: endpoint + risk_score: 25 +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/atomic_red_team/pwsh_scheduledtask.log + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational + sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_registry_delete_task_sd.yml b/detections/endpoint/windows_registry_delete_task_sd.yml index c611bd9c69..1943e88045 100644 --- a/detections/endpoint/windows_registry_delete_task_sd.yml +++ b/detections/endpoint/windows_registry_delete_task_sd.yml @@ -36,6 +36,7 @@ tags: analytic_story: - Windows Registry Abuse - Windows Persistence Techniques + - Scheduled Tasks asset_type: Endpoint confidence: 70 impact: 70 diff --git a/detections/endpoint/windows_scheduled_task_created_via_xml.yml b/detections/endpoint/windows_scheduled_task_created_via_xml.yml index 83e75bee59..5dd574b38e 100644 --- a/detections/endpoint/windows_scheduled_task_created_via_xml.yml +++ b/detections/endpoint/windows_scheduled_task_created_via_xml.yml @@ -28,6 +28,7 @@ references: tags: analytic_story: - Winter Vivern + - Scheduled Tasks asset_type: Endpoint confidence: 70 dataset: diff --git a/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml b/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml index 65b01d24e3..c8efffe0ee 100644 --- a/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml +++ b/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml @@ -32,6 +32,7 @@ references: tags: analytic_story: - AsyncRAT + - Scheduled Tasks asset_type: Endpoint confidence: 80 impact: 80 diff --git a/detections/endpoint/windows_schtasks_create_run_as_system.yml b/detections/endpoint/windows_schtasks_create_run_as_system.yml index 57c046fb0b..a8bb5fea20 100644 --- a/detections/endpoint/windows_schtasks_create_run_as_system.yml +++ b/detections/endpoint/windows_schtasks_create_run_as_system.yml @@ -32,6 +32,7 @@ tags: analytic_story: - Windows Persistence Techniques - Qakbot + - Scheduled Tasks asset_type: Endpoint confidence: 60 impact: 80 diff --git a/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml b/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml index 7d3543b649..0cb150a62a 100644 --- a/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml +++ b/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml @@ -45,6 +45,7 @@ tags: - Winter Vivern - Ryuk Ransomware - CISA AA22-257A + - Scheduled Tasks asset_type: Endpoint confidence: 100 impact: 70 diff --git a/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml b/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml index 8255cb753a..04fa658c62 100644 --- a/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml +++ b/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml @@ -51,6 +51,7 @@ tags: - Industroyer2 - Active Directory Lateral Movement - Data Destruction + - Scheduled Tasks asset_type: Endpoint confidence: 100 impact: 70 diff --git a/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml b/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml index e7ec3f00bd..c06842ca8c 100644 --- a/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml +++ b/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml @@ -41,6 +41,7 @@ tags: - Industroyer2 - Sandworm Tools - Data Destruction + - Scheduled Tasks asset_type: Endpoint confidence: 100 impact: 80 diff --git a/stories/scheduled_tasks.yml b/stories/scheduled_tasks.yml new file mode 100644 index 0000000000..14ea13afb6 --- /dev/null +++ b/stories/scheduled_tasks.yml @@ -0,0 +1,33 @@ +name: Scheduled Tasks +id: 94cff925-d05c-40cf-b925-d6c5702a2399 +version: 1 +date: '2023-06-12' +author: Michael Haag, Splunk +description: The MITRE ATT&CK technique T1053 refers to Scheduled Task/Job. Adversaries might use task scheduling utilities to execute programs or scripts at a predefined date and time. This method is often used for persistence but can also be used for privilege escalation or to execute tasks under certain conditions. Scheduling tasks can be beneficial for an attacker as it can allow them to execute actions at times when the system is less likely to be monitored actively. Different operating systems have different utilities for task scheduling, for example, Unix-like systems have Cron, while Windows has Scheduled Tasks and At Jobs. +narrative: MITRE ATT&CK technique T1053, labeled "Scheduled Task/Job", is a categorization of methods that adversaries use to execute malicious code by scheduling tasks or jobs on a system. This technique is widely utilized for persistence, privilege escalation, and the remote execution of tasks. The technique is applicable across various environments and platforms, including Windows, Linux, and macOS. + The technique consists of multiple sub-techniques, each highlighting a distinct mechanism for scheduling tasks or jobs. These sub-techniques include T1053.001 (Scheduled Task), T1053.002 (At for Windows), T1053.003 (Cron), T1053.004 (Launchd), T1053.005 (At for Linux), and T1053.006 (Systemd Timers). + + Scheduled Task (T1053.001) focuses on adversaries' methods for scheduling tasks on a Windows system to maintain persistence or escalate privileges. These tasks can be set to execute at specified times, in response to particular events, or after a defined time interval. + + The At command for Windows (T1053.002) enables administrators to schedule tasks on a Windows system. Adversaries may exploit this command to execute programs at system startup or at a predetermined schedule for persistence. + + Cron (T1053.003) is a built-in job scheduler found in Unix-like operating systems. Adversaries can use cron jobs to execute programs at system startup or on a scheduled basis for persistence. + + Launchd (T1053.004) is a service management framework present in macOS. Adversaries may utilize launchd to maintain persistence on macOS systems by setting up daemons or agents to execute at specific times or in response to defined events. + + The At command for Linux (T1053.005) enables administrators to schedule tasks on a Linux system. Adversaries can use this command to execute programs at system startup or on a scheduled basis for persistence. + + Systemd Timers (T1053.006) offer a means of scheduling tasks on Linux systems using systemd. Adversaries can use systemd timers to execute programs at system startup or on a scheduled basis for persistence. + + Detection and mitigation strategies vary for each sub-technique. For instance, monitoring the creation of scheduled tasks or looking for uncorrelated changes to tasks that do not align with known software or patch cycles can be effective for detecting malicious activity related to this technique. Mitigation strategies may involve restricting permissions and applying application control solutions to prevent adversaries from scheduling tasks. +references: +- https://attack.mitre.org/techniques/T1053/ +tags: + analytic_story: Scheduled Tasks + category: + - Adversary Tactics + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection From b1b89b506ba52b46a091605d68e9293673eee054 Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Tue, 20 Jun 2023 08:55:03 -0600 Subject: [PATCH 2/6] Update windows_powershell_scheduletask.yml --- .../endpoint/windows_powershell_scheduletask.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/detections/endpoint/windows_powershell_scheduletask.yml b/detections/endpoint/windows_powershell_scheduletask.yml index b3ff023b0b..4b82a6ade4 100644 --- a/detections/endpoint/windows_powershell_scheduletask.yml +++ b/detections/endpoint/windows_powershell_scheduletask.yml @@ -6,14 +6,16 @@ author: Michael Haag, Splunk status: production type: Anomaly data_source: -- UPDATE_DATA_SOURCE -description: UPDATE_DESCRIPTION +- Powershell 4104 +description: The following analytic aims to uncover anomalies indicative of potential malicious activities related to PowerShell's task scheduling cmdlets. Specifically, it scrutinizes EventCode 4104 in PowerShell logs, a code associated with script block logging. By seeking out key task-related cmdlets such as 'New-ScheduledTask', 'Set-ScheduledTask', and others, the analytic flags unusual or suspicious use patterns that could be emblematic of suspicious behavior. Analysts should be aware that perpetrators often leverage task scheduling for persistence and remote execution of malicious code. search: '`powershell` EventCode=4104 ScriptBlockText IN ("*New-ScheduledTask*", "*New-ScheduledTaskAction*", "*New-ScheduledTaskSettingsSet*", "*New-ScheduledTaskTrigger*", "*Register-ClusteredScheduledTask*", "*Register-ScheduledTask*", "*Set-ClusteredScheduledTask*", "*Set-ScheduledTask*", "*Start-ScheduledTask*", "*Enable-ScheduledTask*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_scheduletask_filter`' -how_to_implement: UPDATE_HOW_TO_IMPLEMENT -known_false_positives: UPDATE_KNOWN_FALSE_POSITIVES +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Benign administrative tasks can also trigger alerts, necessitating a firm understanding of the typical system behavior and precise tuning of the analytic to reduce false positives. references: - https://learn.microsoft.com/en-us/powershell/module/scheduledtasks/?view=windowsserver2022-ps - https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/ From 195a5aece39ea0f85b5810eb8e7178e8c6c2fb95 Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Tue, 20 Jun 2023 13:06:48 -0600 Subject: [PATCH 3/6] descriptions --- ...add_files_in_known_crontab_directories.yml | 8 +------ ...ux_adding_crontab_using_list_parameter.yml | 6 +----- .../linux_at_allow_config_file_creation.yml | 11 +++------- .../linux_at_application_execution.yml | 11 +++++----- .../linux_edit_cron_table_parameter.yml | 12 ++++++----- ...cronjob_entry_on_existing_cronjob_file.yml | 12 +++++------ ...sible_cronjob_modification_with_editor.yml | 12 +++++++---- ...vice_file_created_in_systemd_directory.yml | 14 ++++--------- .../endpoint/linux_service_restarted.yml | 13 ++++-------- .../linux_service_started_or_enabled.yml | 10 +-------- ...ible_lateral_movement_powershell_spawn.yml | 12 +++-------- ...edule_task_with_http_command_arguments.yml | 21 +++++++------------ ...ule_task_with_rundll32_command_trigger.yml | 21 +++++++------------ ...k_creation_on_remote_endpoint_using_at.yml | 10 +++------ ...eduled_task_deleted_or_created_via_cmd.yml | 9 +++----- ...led_task_initiation_on_remote_endpoint.yml | 5 +---- .../endpoint/schtasks_run_task_on_demand.yml | 8 ++----- ...htasks_scheduling_job_on_remote_system.yml | 9 ++------ .../schtasks_used_for_forcing_a_reboot.yml | 6 ++---- .../endpoint/short_lived_scheduled_task.yml | 13 ++++++------ ...s_scheduled_task_from_public_directory.yml | 12 ++++------- ...svchost_lolbas_execution_process_spawn.yml | 8 +------ .../windows_hidden_schedule_task_settings.yml | 6 +----- .../windows_powershell_scheduletask.yml | 2 +- .../windows_registry_delete_task_sd.yml | 1 + ...windows_scheduled_task_created_via_xml.yml | 4 +++- ...scheduled_task_with_highest_privileges.yml | 14 ++++--------- .../windows_schtasks_create_run_as_system.yml | 4 +--- ..._scheduled_task_created_to_spawn_shell.yml | 20 +++++++----------- ...eduled_task_created_within_public_path.yml | 19 ++++++----------- ...ws_task_scheduler_event_action_started.yml | 17 ++++++++------- ...append_command_to_at_allow_config_file.yml | 14 ++++--------- 32 files changed, 119 insertions(+), 225 deletions(-) diff --git a/detections/endpoint/linux_add_files_in_known_crontab_directories.yml b/detections/endpoint/linux_add_files_in_known_crontab_directories.yml index fb84be2bc3..08f6620af5 100644 --- a/detections/endpoint/linux_add_files_in_known_crontab_directories.yml +++ b/detections/endpoint/linux_add_files_in_known_crontab_directories.yml @@ -5,13 +5,7 @@ date: '2021-12-17' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies a suspicious file creation in known - cron table directories. This event is commonly abuse by malware, adversaries and - red teamers to persist on the target or compromised host. crontab or cronjob is - like a schedule task in windows environment where you can create an executable or - script on the known crontab directories to run it base on its schedule. This Anomaly - query is a good indicator to look further what file is added and who added the file - if to consider it legitimate file. +description: The following analytic aims to detect unauthorized activities through suspicious file creation in recognized cron table directories, prevalent Unix-based locations for scheduling tasks. This behavior is often exploited by nefarious entities like malware or threat actors, including red teamers, to establish persistence on a targeted or compromised host. The analogy to Windows-based scheduled tasks helps explain the utility of a crontab or cron job. To enhance clarity and actionable intelligence, the anomaly query flags the anomaly, urging further investigation into the added file's details. A cybersecurity analyst should consider additional data points such as the user identity involved, the file's nature and purpose, file origin, timestamp, and any changes in system behavior post file execution. This comprehensive understanding aids in accurately determining the file's legitimacy, facilitating prompt and effective response actions. data_source: - Sysmon Event ID 11 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) diff --git a/detections/endpoint/linux_adding_crontab_using_list_parameter.yml b/detections/endpoint/linux_adding_crontab_using_list_parameter.yml index bc29dd9ebe..d67a345562 100644 --- a/detections/endpoint/linux_adding_crontab_using_list_parameter.yml +++ b/detections/endpoint/linux_adding_crontab_using_list_parameter.yml @@ -5,11 +5,7 @@ date: '2023-04-14' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic identifies a suspicious cron jobs modification - using crontab list parameters. This command line parameter can be abused by malware - like industroyer2, adversaries, and red teamers to add a crontab entry to their - malicious code to execute to the schedule they want. This event can also be executed - by administrator or normal user for automation purposes so filter is needed. +description: The following analytic identifies suspicious modifications to cron jobs on Linux systems using the crontab command with list parameters. This command line parameter can be abused by malware like Industroyer2, as well as adversaries and red teamers, to add a crontab entry for executing their malicious code on a schedule of their choice. However, it's important to note that administrators or normal users may also use this command for legitimate automation purposes, so filtering is required to minimize false positives. Identifying the modification of cron jobs using list parameters is valuable for a SOC as it indicates potential malicious activity or an attempt to establish persistence on the system. If a true positive is detected, further investigation should be conducted to analyze the added cron job, its associated command, and the impact it may have on the system. This includes examining the purpose of the job, reviewing any on-disk artifacts, and identifying any related processes or activities occurring concurrently. The impact of a true positive can range from unauthorized execution of malicious code to data destruction or other damaging outcomes. data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) diff --git a/detections/endpoint/linux_at_allow_config_file_creation.yml b/detections/endpoint/linux_at_allow_config_file_creation.yml index 3cbcc8ed91..f07b2349ea 100644 --- a/detections/endpoint/linux_at_allow_config_file_creation.yml +++ b/detections/endpoint/linux_at_allow_config_file_creation.yml @@ -5,14 +5,9 @@ date: '2021-12-17' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies a suspicious file creation of /etc/at.allow - or /etc/at.deny. These 2 files are commonly abused by malware, adversaries or red - teamers to persist on the targeted or compromised host. These config files can restrict - or allow user to execute "at" application (another schedule task application in - linux). attacker can create a user or add the compromised username to that config - file to execute "at" to schedule it malicious code. This anomaly detection can be - a good indicator to investigate further the entry in created config file and who - created it to verify if it is a false positive. +description: The following analytic detects the creation of suspicious configuration files, /etc/at.allow or /etc/at.deny, in Linux. These files are commonly abused by malware, adversaries, or red teamers to establish persistence on compromised hosts. The configuration files determine which users are allowed to execute the "at" application, which is used for scheduling tasks in Linux. Attackers can add their user or a compromised username to these files to execute malicious code using "at." It's important to consider potential false positives as administrators or network operators may create these files for legitimate automation purposes. Adjust the filter macros to minimize false positives. + + Identifying the creation of these configuration files is valuable for a SOC as it indicates potential unauthorized activities or an attacker attempting to establish persistence. If a true positive is found, further investigation is necessary to examine the contents of the created configuration file and determine the source of creation. The impact of a true positive can vary but could result in unauthorized execution of malicious code, data theft, or other detrimental consequences. Analysts should review the file path, creation time, and associated processes to assess the extent of the attack and initiate appropriate response actions. data_source: - Sysmon Event ID 11 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) diff --git a/detections/endpoint/linux_at_application_execution.yml b/detections/endpoint/linux_at_application_execution.yml index 56429c397a..d79f29a79a 100644 --- a/detections/endpoint/linux_at_application_execution.yml +++ b/detections/endpoint/linux_at_application_execution.yml @@ -5,12 +5,11 @@ date: '2022-05-26' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies a suspicious process creation of At - application. This process can be used by malware, adversaries and red teamers to - create persistence entry to the targeted or compromised host with their malicious - code. This anomaly detection can be a good indicator to investigate the event before - and after this process execution, when it was executed and what schedule task it - will execute. +description: The following analytic detects the execution of the "At" application in Linux, which can be used by attackers to create persistence entries on a compromised host. The "At" application can be used for automation purposes by administrators or network operators, so the filter macros should be updated to remove false positives. If a true positive is found, it suggests an attacker is trying to maintain access to the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. To implement this analytic, ensure you are ingesting logs with the required fields from your endpoints into the Endpoint datamodel. When a true positive is detected, it suggests that an attacker is attempting to establish persistence or deliver additional malicious payloads by leveraging the "At" application. This behavior can lead to data theft, ransomware attacks, or other damaging outcomes. + + During triage, the SOC analyst should review the context surrounding the execution of the "At" application. This includes identifying the user, the parent process responsible for invoking the application, and the specific command-line arguments used. It is important to consider whether the execution is expected behavior by an administrator or network operator for legitimate automation purposes. + + The presence of "At" application execution may indicate an attacker's attempt to maintain unauthorized access to the environment. Immediate investigation and response are necessary to mitigate further risks, identify the attacker's intentions, and prevent potential harm to the organization. data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes diff --git a/detections/endpoint/linux_edit_cron_table_parameter.yml b/detections/endpoint/linux_edit_cron_table_parameter.yml index e2df59751d..4949118f79 100644 --- a/detections/endpoint/linux_edit_cron_table_parameter.yml +++ b/detections/endpoint/linux_edit_cron_table_parameter.yml @@ -5,11 +5,13 @@ date: '2021-12-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic identifies a suspicious cronjobs modification - using crontab edit parameter. This commandline parameter can be abuse by malware - author, adversaries, and red red teamers to add cronjob entry to their malicious - code to execute to the schedule they want. This event can also be executed by administrator - or normal user for automation purposes so filter is needed. +description: The following analytic detects the suspicious editing of cron jobs in Linux via the crontab command-line parameter. This tactic could be used by adversaries or malware to schedule execution of their malicious code, potentially leading to system compromise or unauthorized persistent access. It pinpoints this activity by monitoring command-line executions involving 'crontab' and the edit parameter (-e). + + Recognizing such activity is vital for a SOC as cron job manipulations might signal unauthorized persistence attempts or scheduled malicious actions, potentially resulting in substantial harm. A true positive signifies an active threat, with implications ranging from unauthorized access to broader network compromise. + + To implement this analytic, logs capturing process name, parent process, and command-line executions from your endpoints must be ingested. + + Known false positives could stem from valid administrative tasks or automation processes using crontab. To reduce these, fine-tune the filter macros according to the benign activities within your environment. These adjustments ensure legitimate actions aren't mistaken for threats, allowing analysts to focus on genuine potential risks. data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) diff --git a/detections/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml b/detections/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml index 16e2eb89c7..b8a98a81b9 100644 --- a/detections/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml +++ b/detections/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml @@ -5,10 +5,11 @@ date: '2021-12-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: This analytic looks for possible suspicious commandline that may use - to append a code to any existing cronjob files for persistence or privilege escalation. - This technique is commonly abused by malware, adversaries and red teamers to automatically - execute their code within a existing or sometimes in normal cronjob script file. +description: The following analytic is designed to detect potential tampering with cronjob files on a Linux system. It specifically searches for command lines that may be used to append code to existing cronjob files, a technique often employed by adversaries, malware, and red teamers for persistence or privilege escalation. Altering existing or sometimes normal cronjob script files allows malicious code to be executed automatically. + + The analytic operates by monitoring logs for specific process names, parent processes, and command-line executions from your endpoints. It specifically checks for any 'echo' command which modifies files in directories commonly associated with cron jobs such as '/etc/cron*', '/var/spool/cron/', and '/etc/anacrontab'. If such activity is detected, an alert is triggered. + + This behavior is worth identifying for a SOC because malicious cron jobs can lead to system compromises and unauthorized data access, impacting business operations and data integrity. data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes @@ -21,8 +22,7 @@ how_to_implement: To successfully implement this search, you need to be ingestin logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -known_false_positives: Administrator or network operator can use this commandline - for automation purposes. Please update the filter macros to remove false positives. +known_false_positives: False positives may arise from legitimate actions by administrators or network operators who may use these commands for automation purposes. Therefore, it's recommended to adjust filter macros to eliminate such false positives. references: - https://attack.mitre.org/techniques/T1053/003/ - https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability diff --git a/detections/endpoint/linux_possible_cronjob_modification_with_editor.yml b/detections/endpoint/linux_possible_cronjob_modification_with_editor.yml index 20e891f9ed..9c47f8f129 100644 --- a/detections/endpoint/linux_possible_cronjob_modification_with_editor.yml +++ b/detections/endpoint/linux_possible_cronjob_modification_with_editor.yml @@ -5,10 +5,14 @@ date: '2021-12-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: This analytic looks for possible modification of cronjobs file using - editor. This event is can be seen in normal user but can also be a good hunting - indicator for unwanted user modifying cronjobs for possible persistence or privilege - escalation. +description: The following analytic detects potential unauthorized modifications to Linux cronjobs using text editors like "nano", "vi" or "vim". It identifies this behavior by tracking command-line executions that interact with paths related to cronjob configuration, a common Linux scheduling utility. Cronjob files may be manipulated by attackers for privilege escalation or persistent access, making such changes critical to monitor. + The identified behavior is significant for a Security Operations Center (SOC) as it could indicate an ongoing attempt at establishing persistent access or privilege escalation, leading to data breaches, system compromise, or other malicious activities. + + In case of a true positive, the impact could be severe. An attacker with escalated privileges or persistent access could carry out damaging actions, such as data theft, sabotage, or further network penetration. + + To implement this analytic, ensure ingestion of logs tracking process name, parent process, and command-line executions from your endpoints. Utilize the Add-on for Linux Sysmon from Splunkbase if you're using Sysmon. + + Known false positives include legitimate administrative tasks, as these commands may also be used for benign purposes. Careful tuning and filtering based on known benign activity in your environment can minimize these instances. data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) diff --git a/detections/endpoint/linux_service_file_created_in_systemd_directory.yml b/detections/endpoint/linux_service_file_created_in_systemd_directory.yml index 42255fac6f..f5007f7b49 100644 --- a/detections/endpoint/linux_service_file_created_in_systemd_directory.yml +++ b/detections/endpoint/linux_service_file_created_in_systemd_directory.yml @@ -5,13 +5,9 @@ date: '2021-12-20' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic looks for suspicious file creation in systemd timer directory - in linux platform. systemd is a system and service manager for Linux distributions. - From the Windows perspective, this process fulfills the duties of wininit.exe and - services.exe combined. At the risk of simplifying the functionality of systemd, - it initializes a Linux system and starts relevant services that are defined in service - unit files. Adversaries, malware and red teamers may abuse this this feature by - stashing systemd service file to persist on the targetted or compromised host. +description: The following analytic is designed to detect suspicious file creation within the systemd timer directory on Linux platforms. Systemd is a system and service manager for Linux, similar to the combination of wininit.exe and services.exe on Windows. This process initializes a Linux system and starts defined services in unit files. Malicious actors, such as adversaries, malware, or red teamers, can exploit this feature by embedding a systemd service file for persistence on the targeted or compromised host. + + The analytic works by monitoring logs with file name, file path, and process GUID data from your endpoints. If a .service file is created in certain systemd directories, the analytic triggers an alert. This behavior is significant for a Security Operations Center (SOC) as it may indicate a persistent threat within the network, with a potential impact of system compromise or data exfiltration. data_source: - Sysmon Event ID 11 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -25,9 +21,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime how_to_implement: To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -known_false_positives: Administrator or network operator can create file in systemd - folders for automation purposes. Please update the filter macros to remove false - positives. +known_false_positives: False positives may arise when administrators or network operators create files in systemd directories for legitimate automation tasks. Therefore, it's important to adjust filter macros to account for valid activities. To implement this search successfully, it's crucial to ingest appropriate logs, preferably using the Linux Sysmon Add-on from Splunkbase for those using Sysmon. references: - https://attack.mitre.org/techniques/T1053/006/ - https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/ diff --git a/detections/endpoint/linux_service_restarted.yml b/detections/endpoint/linux_service_restarted.yml index 408bc6d582..856cfb8479 100644 --- a/detections/endpoint/linux_service_restarted.yml +++ b/detections/endpoint/linux_service_restarted.yml @@ -5,15 +5,10 @@ date: '2023-04-14' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic looks for restarted or re-enable services in the linux - platform. This technique can be executed or performed using systemctl or service - tool application. Adversaries may create or modify Linux services to repeatedly - execute malicious payloads as part of persistence. When the linux host boots up, - it starts programs or applications called services that perform background system - functions. Administrator may also create a legitimated service for a specific tool - or normal application as part of task or automation, in this scenario it is suggested - to look for the service path of the actual script or executable that registered - as service and who created the service for further verification. +description: The following analytic detects the restarting or re-enabling of services in the Linux platform. It focuses on the use of the systemctl or service tools for executing these actions. Adversaries may leverage this technique to repeatedly execute malicious payloads as a form of persistence. Linux hosts typically start services during boot to perform background system functions. However, administrators may also create legitimate services for specific tools or applications as part of task automation. In such cases, it is recommended to verify the service path of the registered script or executable and identify the creator of the service for further validation. + It's important to be aware that this analytic may generate false positives as administrators or network operators may use the same command-line for legitimate automation purposes. Filter macros should be updated accordingly to minimize false positives. + + Identifying restarted or re-enabled services is valuable for a SOC as it can indicate potential malicious activities attempting to maintain persistence or execute unauthorized actions on Linux systems. By detecting and investigating these events, security analysts can respond promptly to mitigate risks and prevent further compromise. The impact of a true positive can range from unauthorized access to data destruction or other damaging outcomes. data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) diff --git a/detections/endpoint/linux_service_started_or_enabled.yml b/detections/endpoint/linux_service_started_or_enabled.yml index 3b0f211de4..6c02308a24 100644 --- a/detections/endpoint/linux_service_started_or_enabled.yml +++ b/detections/endpoint/linux_service_started_or_enabled.yml @@ -5,15 +5,7 @@ date: '2021-12-20' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic looks for created or enable services in linux platform. - This technique can be executed or performed using systemctl or service tool application. - Adversaries may create or modify Windows services to repeatedly execute malicious - payloads as part of persistence. When Windows boots up, it starts programs or applications - called services that perform background system functions. Administrator may also - create a legitimated service for a specific tool or normal application as part of - task or automation, in this scenario it is suggested to look for the service path - of the actual script or executable that register as service and who created the - service for further verification. +description: The following analytic detects the creation or enabling of services in Linux platforms, specifically using the systemctl or service tool application. This behavior is worth identifying as adversaries may create or modify services to execute malicious payloads as part of persistence. Legitimate services created by administrators for automation purposes may also trigger this analytic, so it is important to update the filter macros to remove false positives. If a true positive is found, it suggests an possible attacker is attempting to persist within the environment or deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. To implement this analytic, ensure you are ingesting logs with the process name, parent process, and command-line executions from your endpoints. data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) diff --git a/detections/endpoint/possible_lateral_movement_powershell_spawn.yml b/detections/endpoint/possible_lateral_movement_powershell_spawn.yml index 770a78ad26..903577cce8 100644 --- a/detections/endpoint/possible_lateral_movement_powershell_spawn.yml +++ b/detections/endpoint/possible_lateral_movement_powershell_spawn.yml @@ -5,15 +5,9 @@ date: '2023-04-14' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic assists with identifying a PowerShell process - spawned as a child or grand child process of commonly abused processes during lateral - movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` - and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, - Windows Management Instrumentation, Task Scheduler, Windows Remote Management and - the DCOM protocol can be abused to start a process on a remote endpoint. Looking - for PowerShell spawned out of this processes may reveal a lateral movement attack. - Red Teams and adversaries alike may abuse these services during a breach for lateral - movement and remote code execution. +description: The following analytic is designed to identify possible lateral movement attacks that involve the spawning of a PowerShell process as a child or grandchild process of commonly abused processes. These processes include services.exe, wmiprsve.exe, svchost.exe, wsmprovhost.exe, and mmc.exe. + + Such behavior is indicative of legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management, and the DCOM protocol being abused to start a process on a remote endpoint. This behavior is often seen during lateral movement techniques where adversaries or red teams abuse these services for lateral movement and remote code execution. data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) diff --git a/detections/endpoint/schedule_task_with_http_command_arguments.yml b/detections/endpoint/schedule_task_with_http_command_arguments.yml index 02adbbc9c0..1160a511c9 100644 --- a/detections/endpoint/schedule_task_with_http_command_arguments.yml +++ b/detections/endpoint/schedule_task_with_http_command_arguments.yml @@ -5,20 +5,13 @@ date: '2023-04-05' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following query utilizes Windows Security EventCode 4698, `A scheduled - task was created`, to identify suspicious tasks registered on Windows either via - schtasks.exe OR TaskService with an arguments "HTTP" string that are unique entry - of malware or attack that uses lolbin to download other file or payload to the infected - machine. The search will return the first time and last time the task was registered, - as well as the `Command` to be executed, `Task Name`, `Author`, `Enabled`, and whether - it is `Hidden` or not. schtasks.exe is natively found in `C:\Windows\system32` and - `C:\Windows\syswow64`. The following DLL(s) are loaded when schtasks.exe or TaskService - is launched -`taskschd.dll`. If found loaded by another process, it is possible - a scheduled task is being registered within that process context in memory. Upon - triage, identify the task scheduled source. Was it schtasks.exe or via TaskService? - Review the job created and the Command to be executed. Capture any artifacts on - disk and review. Identify any parallel processes within the same timeframe to identify - source.' +description: The following analytic detects the registration of suspicious tasks on Windows using the Windows Security EventCode 4698, "A scheduled task was created." It specifically looks for tasks registered through schtasks.exe or TaskService that have command arguments containing the string "HTTP." This behavior is often associated with malware or attacks that utilize Living off the Land binaries (lolbins) to download additional files or payloads to the compromised machine. + + The search returns information about the task, such as the task name, command, author, enabled status, hidden status, and arguments. Upon triage, it is important to identify the source of the scheduled task, whether it was registered through schtasks.exe or TaskService. Review the details of the created task and the command to be executed. Capture relevant artifacts on disk and examine them. Additionally, identify any parallel processes occurring within the same timeframe to determine the source of the attack. + + Implementing this analytic requires ingesting logs with information about task schedules, specifically Windows Security Log EventCode 4698, from your endpoints. It is recommended to tune and filter known instances of task schedules used in your environment to minimize false positives. + + Detecting the registration of suspicious tasks with HTTP command arguments is valuable for a SOC as it indicates potential malicious activity or an attempt to establish persistence on the system. If a true positive is found, further investigation is warranted to analyze the nature and purpose of the scheduled task, identify any downloaded files or payloads, and mitigate the associated risks. The impact of a true positive can vary but may include data exfiltration, malware propagation, or unauthorized access to sensitive information. data_source: - Windows Security 4698 search: '`wineventlog_security` EventCode=4698 | xmlkv Message| search Arguments IN diff --git a/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml b/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml index 5bb19280c7..d0ddb06765 100644 --- a/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml +++ b/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml @@ -5,20 +5,13 @@ date: '2021-04-19' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following query utilizes Windows Security EventCode 4698, `A scheduled - task was created`, to identify suspicious tasks registered on Windows either via - schtasks.exe OR TaskService with a command to be executed with a Rundll32. This - technique is common in new trickbot that uses rundll32 to load is trickbot downloader. - The search will return the first time and last time the task was registered, as - well as the `Command` to be executed, `Task Name`, `Author`, `Enabled`, and whether - it is `Hidden` or not. schtasks.exe is natively found in `C:\Windows\system32` and - `C:\Windows\syswow64`. The following DLL(s) are loaded when schtasks.exe or TaskService - is launched -`taskschd.dll`. If found loaded by another process, it is possible - a scheduled task is being registered within that process context in memory. Upon - triage, identify the task scheduled source. Was it schtasks.exe or via TaskService? - Review the job created and the Command to be executed. Capture any artifacts on - disk and review. Identify any parallel processes within the same timeframe to identify - source.' +description: The following analytic detects the creation of suspicious tasks in Windows, specifically tasks using the rundll32 command. It's implemented using Windows Security EventCode 4698 for A scheduled task was created, and looks for tasks executed either via schtasks.exe or TaskService. This behavior is worth identifying as it is commonly used by malware, such as TrickBot, that leverages rundll32 to execute its downloader. + + If a true positive is found, it suggests an attacker is trying to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. + + To implement this analytic, ensure you are ingesting logs with task schedule information from your endpoints. Be aware of potential false positives - legitimate uses of Task Scheduler in your environment may cause benign activities to be flagged. + + Upon triage, review the scheduled task's source and the command to be executed. Capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks. data_source: - Windows Security 4698 search: '`wineventlog_security` EventCode=4698 | xmlkv Message | search Command IN diff --git a/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml b/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml index 16f36e36c8..3951396b6d 100644 --- a/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml +++ b/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml @@ -5,13 +5,9 @@ date: '2021-11-11' author: Mauricio Velazco, Splunk status: production type: TTP -description: This analytic looks for the execution of `at.exe` with command-line arguments - utilized to create a Scheduled Task on a remote endpoint. Red Teams and adversaries - alike may abuse the Task Scheduler for lateral movement and remote code execution. - The `at.exe` binary internally leverages the AT protocol which was deprecated starting - with Windows 8 and Windows Server 2012 but may still work on previous versions of - Windows. Furthermore, attackers may enable this protocol on demand by changing a - sytem registry key. +description: The following analytic detects the creation of suspicious tasks on a remote Windows endpoint using the at.exe command with command-line arguments. This technique is commonly used by red teams and adversaries for lateral movement and remote code execution. The at.exe binary leverages the deprecated AT protocol, which may still work on previous versions of Windows. Attackers can enable this protocol on demand by modifying a system registry key. It is important to consider potential false positives. While administrators may create scheduled tasks on remote systems, this activity is typically limited to a small set of hosts or users. + + Identifying the creation of scheduled tasks on remote endpoints is crucial for a Security Operations Center (SOC) because it indicates potential unauthorized activity or an attacker attempting to establish persistence or execute malicious code. The impact of a true positive can be significant, leading to unauthorized access, data theft, or other damaging outcomes. During triage, investigate the source and purpose of the scheduled task, inspect relevant on-disk artifacts, and analyze concurrent processes to identify the extent of the attack and take appropriate response actions. data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) diff --git a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml index de24543233..9c3b8abe8a 100644 --- a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml +++ b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml @@ -5,10 +5,8 @@ date: '2023-04-05' author: Bhavin Patel, Splunk status: production type: TTP -description: The following analytic identifies the creation or deletion of a scheduled - task using schtasks.exe with flags - create or delete being passed on the command-line. - This has been associated with the Dragonfly threat actor, and the SUNBURST attack - against Solarwinds. This analytic replaces "Scheduled Task used in BadRabbit Ransomware". +description: The following analytic detects the creation or deletion of a scheduled task using the schtasks.exe command-line tool with the 'create' or 'delete' flags. This behavior has been associated with threat actors like Dragonfly and the SUNBURST attack against SolarWinds. It replaces the previous analytic related to "Scheduled Task used in BadRabbit Ransomware." + Identifying the creation or deletion of scheduled tasks via the command line is significant for a SOC as it may indicate malicious activity, such as the establishment of persistence or unauthorized changes to critical systems. A true positive suggests potential compromise or an ongoing attack, highlighting the need for immediate investigation and response to mitigate the impact on the affected systems. data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count values(Processes.process) @@ -22,8 +20,7 @@ how_to_implement: To successfully implement this search you need to be ingesting your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: It is possible scripts or administrators may trigger this analytic. - Filter as needed based on parent process, application. +known_false_positives: While it is possible for legitimate scripts or administrators to trigger this behavior, filtering can be applied based on the parent process and application to reduce false positives. Analysts should reference the provided references to understand the context and threat landscape associated with this activity. references: - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ - https://www.joesandbox.com/analysis/691823/0/html diff --git a/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml b/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml index 06cb1555fb..d6ff47aeeb 100644 --- a/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml +++ b/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml @@ -5,10 +5,7 @@ date: '2021-11-11' author: Mauricio Velazco, Splunk status: production type: TTP -description: This analytic looks for the execution of `schtasks.exe` with command-line - arguments utilized to start a Scheduled Task on a remote endpoint. Red Teams and - adversaries alike may abuse the Task Scheduler for lateral movement and remote code - execution. +description: This analytic detects instances of 'schtasks.exe' being used to start a Scheduled Task on a remote endpoint. Adversaries often abuse the Task Scheduler for lateral movement and remote code execution. The search parameters include process details such as the process name, parent process, and command-line executions. Although legitimate administrators may start scheduled tasks on remote systems, this activity is usually limited to a small set of hosts or users. The findings from this analytic provide valuable insight into potentially malicious activities on an endpoint. data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) diff --git a/detections/endpoint/schtasks_run_task_on_demand.yml b/detections/endpoint/schtasks_run_task_on_demand.yml index db64a5067f..8f66aec11e 100644 --- a/detections/endpoint/schtasks_run_task_on_demand.yml +++ b/detections/endpoint/schtasks_run_task_on_demand.yml @@ -5,10 +5,7 @@ date: '2023-04-14' author: Teoderick Contreras, Splunk status: production type: TTP -description: This analytic identifies an on demand run of a Windows Schedule Task - through shell or command-line. This technique has been used by adversaries that - force to run their created Schedule Task as their persistence mechanism or for lateral - movement as part of their malicious attack to the compromised machine. +description: The following analytic is designed to detect when a Windows Scheduled Task is executed on demand via shell or command line. Adversaries often force the execution of their created Scheduled Tasks for persistent access or lateral movement within a compromised machine. This analytic is driven by process-related data, specifically process name, parent process, and command-line executions, sourced from endpoint logs. The search criteria focus on 'schtasks.exe' with an associated 'run' command. data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` values(Processes.process) as process @@ -21,8 +18,7 @@ how_to_implement: To successfully implement this search, you need to be ingestin logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed schtasks.exe may be used. -known_false_positives: Administrators may use to debug Schedule Task entries. Filter - as needed. +known_false_positives: Bear in mind, administrators debugging Scheduled Task entries may trigger this analytic, necessitating fine-tuning and filtering to distinguish between legitimate and potentially malicious use of 'schtasks.exe'. references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ tags: diff --git a/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml b/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml index 0b8d9e2cb6..0198e2799d 100644 --- a/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml +++ b/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml @@ -5,10 +5,7 @@ date: '2022-05-23' author: David Dorsey, Mauricio Velazco, Splunk status: production type: TTP -description: This analytic looks for the execution of `schtasks.exe` with command-line - arguments utilized to create a Scheduled Task on a remote endpoint. Red Teams and - adversaries alike may abuse the Task Scheduler for lateral movement and remote code - execution. +description: The following analytic is designed to detect suspicious command-line arguments executed through 'schtasks.exe' to create a scheduled task on a remote endpoint. The analytic scans process data, checking for instances where 'schtasks.exe' has been used with specific command-line flags that suggest an attempt at lateral movement or remote code execution, common techniques employed by adversaries and red teams. Key data points include the process name, the specific command line used, the parent process name, the target destination, and the user involved. Also, timestamp data gives context to when these activities occurred. data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -22,9 +19,7 @@ how_to_implement: You must be ingesting data that records process activity from ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the "process" field in the Endpoint data model. -known_false_positives: Administrators may create scheduled tasks on remote systems, - but this activity is usually limited to a small set of hosts or users. It is important - to validate and investigate as appropriate. +known_false_positives: While it is possible to have false positives, due to legitimate administrative tasks, these are usually limited and should still be validated and investigated as appropriate. references: [] tags: analytic_story: diff --git a/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml b/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml index eb41362f0f..cbea55c8ed 100644 --- a/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml +++ b/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml @@ -5,8 +5,7 @@ date: '2020-12-07' author: Bhavin Patel, Splunk status: production type: TTP -description: This search looks for flags passed to schtasks.exe on the command-line - that indicate that a forced reboot of system is scheduled. +description: The following analytic utilizes a Splunk query to pinpoint potential threats by monitoring the 'schtasks.exe' command-line usage. This particular command, especially when used in tandem with 'shutdown' and '/create' flags, can suggest an adversarial force intending to schedule unwarranted system reboots. The query focuses on endpoint process data and retrieves details such as the process name, the parent process name, the destination, and the user involved. Essential to the investigation are the earliest and latest timestamps of these events, providing an activity timeline. Data such as the targeted host and initiating user offer valuable context for analyst. data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` values(Processes.process) as process @@ -20,8 +19,7 @@ how_to_implement: To successfully implement this search you need to be ingesting your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: Administrators may create jobs on systems forcing reboots to - perform updates, maintenance, etc. +known_false_positives: This analytic may also capture legitimate administrative activities such as system updates or maintenance tasks, which can be classified as false positives. Filter as needed. references: [] tags: analytic_story: diff --git a/detections/endpoint/short_lived_scheduled_task.yml b/detections/endpoint/short_lived_scheduled_task.yml index d2fdba7e8d..d9645b348e 100644 --- a/detections/endpoint/short_lived_scheduled_task.yml +++ b/detections/endpoint/short_lived_scheduled_task.yml @@ -5,12 +5,13 @@ date: '2021-12-03' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic leverages Windows Security EventCode 4698, `A - scheduled task was created` and Windows Security EventCode 4699, `A scheduled task - was deleted` to identify scheduled tasks created and deleted in less than 30 seconds. - This behavior may represent a lateral movement attack abusing the Task Scheduler - to obtain code execution. Red Teams and adversaries alike may abuse the Task Scheduler - for lateral movement and remote code execution. +description: The following analytic utilizes Windows Security EventCode 4698, "A scheduled task was created," and EventCode 4699, "A scheduled task was deleted," to identify scheduled tasks that are created and deleted within a short time frame of less than 30 seconds. This behavior is indicative of a potential lateral movement attack where the Task Scheduler is abused to achieve code execution. Both red teams and adversaries may exploit the Task Scheduler for lateral movement and remote code execution. + + To implement this analytic, ensure that you are ingesting Windows Security Event Logs with EventCode 4698 enabled. Additionally, the Windows TA (Technology Add-on) is required to parse and extract the necessary information from the logs. + + It's important to note that while uncommon, legitimate applications may create and delete scheduled tasks within a short duration. Analysts should filter the results based on the specific context and environment to reduce false positives. + + Identifying short-lived scheduled tasks is valuable for a SOC as it can indicate malicious activities attempting to move laterally or execute unauthorized code on Windows systems. By detecting and investigating these events, security analysts can respond promptly to prevent further compromise and mitigate potential risks. The impact of a true positive could range from unauthorized access to data exfiltration or the execution of malicious payloads. data_source: - Windows Security 4698 search: ' `wineventlog_security` EventCode=4698 OR EventCode=4699 | xmlkv Message diff --git a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml index 1fd8d95f42..3786991cbd 100644 --- a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml +++ b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml @@ -5,12 +5,9 @@ date: '2021-03-01' author: Michael Haag, Splunk status: production type: Anomaly -description: The following detection identifies Scheduled Tasks registering (creating - a new task) a binary or script to run from a public directory which includes users\public, - \programdata\ and \windows\temp. Upon triage, review the binary or script in the - command line for legitimacy, whether an approved binary/script or not. In addition, - capture the binary or script in question and analyze for further behaviors. Identify - the source and contain the endpoint. +description: The following analytic, "Suspicious Scheduled Task from Public Directory", detects the registration of scheduled tasks aimed to execute a binary or script from public directories, a behavior often associated with malware deployment. It utilizes the Sysmon Event ID 1 data source, searching for instances where schtasks.exe is connected with the directories users\public, \programdata\, or \windows\temp and involves the /create command. + + The registration of such scheduled tasks in public directories could suggest that an attacker is trying to maintain persistence or execute malicious scripts. If confirmed as a true positive, this could lead to data compromise, unauthorized access, and potential lateral movement within the network. data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -23,8 +20,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. -known_false_positives: Limited false positives may be present. Filter as needed by - parent process or command line argument. +known_false_positives: The main source of false positives could be the legitimate use of scheduled tasks from these directories. Careful tuning of this search may be necessary to suit the specifics of your environment, reducing the rate of false positives. references: - https://attack.mitre.org/techniques/T1053/005/ tags: diff --git a/detections/endpoint/svchost_lolbas_execution_process_spawn.yml b/detections/endpoint/svchost_lolbas_execution_process_spawn.yml index 013b7d2a4f..67a706f9b9 100644 --- a/detections/endpoint/svchost_lolbas_execution_process_spawn.yml +++ b/detections/endpoint/svchost_lolbas_execution_process_spawn.yml @@ -5,13 +5,7 @@ date: '2021-11-22' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic identifies `svchost.exe` spawning a LOLBAS execution - process. When adversaries execute code on remote endpoints abusing the Task Scheduler - and creating a malicious remote scheduled task, the executed command is spawned - as a child process of `svchost.exe`. The LOLBAS project documents Windows native - binaries that can be abused by threat actors to perform tasks like executing malicious - code. Looking for child processes of svchost.exe that are part of the LOLBAS project - can help defenders identify lateral movement activity. +description: The following analytic is designed to spot instances of 'svchost.exe' initiating a Living Off The Land Binaries and Scripts (LOLBAS) execution process. Often, adversaries manipulate Task Scheduler to execute code on remote endpoints, resulting in the spawning of a malicious command as a child process of 'svchost.exe'. By tracking child processes of 'svchost.exe' that align with the LOLBAS project, potential lateral movement activity can be detected. The analytic examines process details, including the process name, parent process, and command-line executions. A comprehensive list of LOLBAS processes is included in the search parameters. Although the analytic might catch legitimate applications exhibiting this behavior, these instances should be filtered accordingly. The findings from this analytic offer valuable insight into potentially malicious activities on an endpoint. data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) diff --git a/detections/endpoint/windows_hidden_schedule_task_settings.yml b/detections/endpoint/windows_hidden_schedule_task_settings.yml index 8ec8fddb6f..a3ece4ccf5 100644 --- a/detections/endpoint/windows_hidden_schedule_task_settings.yml +++ b/detections/endpoint/windows_hidden_schedule_task_settings.yml @@ -5,11 +5,7 @@ date: '2023-04-14' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following query utilizes Windows Security EventCode 4698, A scheduled - task was created, to identify suspicious tasks registered on Windows either via - schtasks.exe OR TaskService with a hidden settings that are unique entry of malware - like industroyer2 or attack that uses lolbin to download other file or payload to - the infected machine. +description: hidden settings. Such behavior is indicative of certain malware, such as Industroyer2, or attacks leveraging living-off-the-land binaries (LOLBINs) to download additional payloads to a compromised machine. This analytic relies on the Windows Security EventCode 4698, indicating the creation of a scheduled task. The search focuses on identifying instances where the 'Hidden' setting is enabled, signaling potential nefarious activity. To implement this search, you need to ingest logs with task scheduling details from your endpoints. As false positives are currently unknown, it is advised to tune and filter based on the known use of task scheduling in your environment. This analytic provides crucial visibility into stealthy, potentially harmful scheduled tasks on Windows systems. data_source: - Windows Security 4698 search: '`wineventlog_security` EventCode=4698 | xmlkv Message | search Hidden = true diff --git a/detections/endpoint/windows_powershell_scheduletask.yml b/detections/endpoint/windows_powershell_scheduletask.yml index 4b82a6ade4..8e257b9381 100644 --- a/detections/endpoint/windows_powershell_scheduletask.yml +++ b/detections/endpoint/windows_powershell_scheduletask.yml @@ -7,7 +7,7 @@ status: production type: Anomaly data_source: - Powershell 4104 -description: The following analytic aims to uncover anomalies indicative of potential malicious activities related to PowerShell's task scheduling cmdlets. Specifically, it scrutinizes EventCode 4104 in PowerShell logs, a code associated with script block logging. By seeking out key task-related cmdlets such as 'New-ScheduledTask', 'Set-ScheduledTask', and others, the analytic flags unusual or suspicious use patterns that could be emblematic of suspicious behavior. Analysts should be aware that perpetrators often leverage task scheduling for persistence and remote execution of malicious code. +description: The following analytic detects potential malicious activities related to PowerShell's task scheduling cmdlets. It looks for anomalies in PowerShell logs, specifically EventCode 4104, associated with script block logging. The analytic flags unusual or suspicious use patterns of key task-related cmdlets such as 'New-ScheduledTask', 'Set-ScheduledTask', and others, which are often used by attackers for persistence and remote execution of malicious code. If a true positive is found, it suggests an possible attacker is attempting to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. To implement this analytic, PowerShell Script Block Logging needs to be enabled on some or all endpoints. Analysts should be aware of benign administrative tasks that can trigger alerts and tune the analytic accordingly to reduce false positives. Upon triage, review the PowerShell search: '`powershell` EventCode=4104 ScriptBlockText IN ("*New-ScheduledTask*", "*New-ScheduledTaskAction*", "*New-ScheduledTaskSettingsSet*", "*New-ScheduledTaskTrigger*", "*Register-ClusteredScheduledTask*", "*Register-ScheduledTask*", "*Set-ClusteredScheduledTask*", "*Set-ScheduledTask*", "*Start-ScheduledTask*", "*Enable-ScheduledTask*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` diff --git a/detections/endpoint/windows_registry_delete_task_sd.yml b/detections/endpoint/windows_registry_delete_task_sd.yml index 1943e88045..52f1c0ac51 100644 --- a/detections/endpoint/windows_registry_delete_task_sd.yml +++ b/detections/endpoint/windows_registry_delete_task_sd.yml @@ -11,6 +11,7 @@ description: The following analytic identifies a process attempting to delete a behavior will remove the actual Task Name from the Task Scheduler GUI and from the command-line query - schtasks.exe /query. In addition, in order to perform this action, the user context will need to be SYSTEM. + Identifying the deletion of a scheduled task's Security Descriptor from the registry is significant for a SOC as it may indicate malicious activity attempting to remove evidence of a scheduled task, potentially for defense evasion purposes. If a true positive is detected, it suggests an attacker with privileged access attempting to remove traces of their activities, which can have a significant impact on the security and functionality of affected systems. Immediate investigation and response are required to mitigate further risks and preserve the integrity of the environment. data_source: - Sysmon Event ID 13 search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry diff --git a/detections/endpoint/windows_scheduled_task_created_via_xml.yml b/detections/endpoint/windows_scheduled_task_created_via_xml.yml index 5dd574b38e..ea5aae3439 100644 --- a/detections/endpoint/windows_scheduled_task_created_via_xml.yml +++ b/detections/endpoint/windows_scheduled_task_created_via_xml.yml @@ -7,7 +7,9 @@ status: production type: TTP data_source: - Sysmon Event ID 1 -description: The following analytic identifies the creation of a scheduled task using schtasks.exe, with the flags -create being passed on the command-line along with an XML parameter. This technique has been associated with threat actors, adversaries, and red teamers seeking to gain persistence or achieve privilege escalation on targeted hosts. Notably, the Trickbot and Winter-Vivern malware have been observed employing this method, utilizing an XML file to create scheduled tasks. It is important to monitor and investigate such activity in order to mitigate potential security risks. +description: The following analytic detects the creation of suspicious scheduled tasks in Windows, specifically tasks created using schtasks.exe with the -create flag and an XML parameter in the command-line. This technique is commonly employed by threat actors, adversaries, and red teamers to establish persistence or achieve privilege escalation on targeted hosts. Notably, malware like Trickbot and Winter-Vivern have been observed using XML files to create scheduled tasks. Monitoring and investigating this activity is crucial to mitigate potential security risks. It is important to be aware that scripts or administrators may trigger this analytic, leading to potential false positives. To minimize false positives, adjust the filter based on the parent process or application. + + When a true positive is detected, it suggests an attacker's attempt to gain persistence or execute additional malicious payloads, potentially resulting in data theft, ransomware, or other damaging outcomes. During triage, review the source of the scheduled task, the command to be executed, and capture any relevant on-disk artifacts. Analyze concurrent processes to identify the source of the attack. This analytic enables analysts to detect and respond to potential threats early, mitigating the associated risks effectively. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe Processes.process=*create* Processes.process="* /xml *" by Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.process_id Processes.parent_process_guid Processes.dest diff --git a/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml b/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml index c8efffe0ee..455b74e9f3 100644 --- a/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml +++ b/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml @@ -5,13 +5,9 @@ date: '2023-01-26' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic identifies Schtasks.exe creating a new task with - highest privilege execution. This techniques was seen in asyncrat where it uses - the scheduled task as part of it persistence and privilege escalation. AsyncRAT - will setup a scheduled task with parameter '/rl' and 'highest' to trigger this technique. - This TTP detection can be a good indicator of malware or adversaries trying to gain - persistence and privilege escalation through scheduled task. We recommend to always - check and monitoring this type of events even filtering is needed. +description: The following analytic detects the creation of a new task with the highest execution privilege via Schtasks.exe. This tactic is often observed in AsyncRAT attacks, where the scheduled task is used for persistence and privilege escalation. AsyncRAT sets up a scheduled task with parameters '/rl' and 'highest', triggering this technique. It's a strong indicator of potential malware or adversaries seeking to establish persistence and escalate privileges through scheduled tasks. This is crucial for a Security Operations Center (SOC) as it can prevent unauthorized system access and potential data breaches. + + The analytic works by monitoring logs for process name, parent process, and command-line executions. In the presence of the '*/rl ' and ' highest *' commands in a schtasks.exe process, an alert is triggered. data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -24,9 +20,7 @@ how_to_implement: To successfully implement this search, you need to be ingestin logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of wermgr.exe may be used. -known_false_positives: False positives will be limited to legitimate applications - creating a task to run as SYSTEM. Filter as needed based on parent process, or modify - the query to have world writeable paths to restrict it. +known_false_positives: False positives may arise from legitimate applications that create tasks to run as SYSTEM. Therefore, it's recommended to adjust filters based on parent process or modify the query to include world writable paths for restriction. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat tags: diff --git a/detections/endpoint/windows_schtasks_create_run_as_system.yml b/detections/endpoint/windows_schtasks_create_run_as_system.yml index a8bb5fea20..b6c817ed84 100644 --- a/detections/endpoint/windows_schtasks_create_run_as_system.yml +++ b/detections/endpoint/windows_schtasks_create_run_as_system.yml @@ -5,9 +5,7 @@ date: '2022-02-07' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies Schtasks.exe creating a new task to - start and run as an elevated user - SYSTEM. This is commonly used by adversaries - to spawn a process in an elevated state. +description: The following analytic identifies the creation of a new task to start and run as an elevated user - SYSTEM using Schtasks.exe. This behavior is commonly used by adversaries to spawn a process in an elevated state. If a true positive is found, it suggests an attacker is attempting to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. To implement this analytic, ensure you are ingesting information on processes that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. False positives will be limited to legitimate applications creating a task to run as SYSTEM. Filter as needed based on parent process, or modify the query to have world writeable paths to restrict it. Upon triage, review the scheduled task's source and the command to be executed. Capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks. data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) diff --git a/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml b/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml index 0cb150a62a..50d0fc36bc 100644 --- a/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml +++ b/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml @@ -6,19 +6,13 @@ author: Michael Haag, Splunk status: production type: TTP datamodel: [] -description: The following query utilizes Windows Security EventCode 4698, `A scheduled - task was created`, to identify suspicious tasks registered on Windows either via - schtasks.exe OR TaskService with a command to be executed with a native Windows - shell (PowerShell, Cmd, Wscript, Cscript).\ The search will return the first time - and last time the task was registered, as well as the `Command` to be executed, - `Task Name`, `Author`, `Enabled`, and whether it is `Hidden` or not.\ schtasks.exe - is natively found in `C:\Windows\system32` and `C:\Windows\syswow64`.\ The following - DLL(s) are loaded when schtasks.exe or TaskService is launched -`taskschd.dll`. - If found loaded by another process, it is possible a scheduled task is being registered - within that process context in memory.\ Upon triage, identify the task scheduled - source. Was it schtasks.exe or via TaskService? Review the job created and the Command - to be executed. Capture any artifacts on disk and review. Identify any parallel - processes within the same timeframe to identify source. +description: The following query utilizes Windows Security EventCode 4698, indicating 'a scheduled task was created', to identify potentially suspicious tasks. These tasks may be registered on Windows through either schtasks.exe or TaskService, and are set up to execute a command with a native Windows shell such as PowerShell, Cmd, Wscript, or Cscript. + + The search will return the initial and final times the task was registered, along with details like the 'Command' set to be executed, 'Task Name', 'Author', whether it's 'Enabled', and if it is 'Hidden'. + + Schtasks.exe is typically found in C:\Windows\system32 and C:\Windows\syswow64. The DLL 'taskschd.dll' is loaded when either schtasks.exe or TaskService is launched. If this DLL is found loaded by another process, it's possible that a scheduled task is being registered within the context of that process in memory. + + During triage, it's essential to identify the source of the scheduled task. Was it registered via schtasks.exe or TaskService? Review the job that was created and the command set to be executed. It's also recommended to capture and review any artifacts on disk, and identify any parallel processes within the same timeframe to locate the source. data_source: - Windows Security 4698 search: '`wineventlog_security` EventCode=4698 | xmlkv Message | search Command IN diff --git a/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml b/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml index 04fa658c62..cc6215ce95 100644 --- a/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml +++ b/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml @@ -6,19 +6,12 @@ author: Michael Haag, Splunk status: production type: TTP datamodel: [] -description: The following query utilizes Windows Security EventCode 4698, `A scheduled - task was created`, to identify suspicious tasks registered on Windows either via - schtasks.exe OR TaskService with a command to be executed from a user writeable - file path.\ The search will return the first time and last time the task was registered, - as well as the `Command` to be executed, `Task Name`, `Author`, `Enabled`, and whether - it is `Hidden` or not.\ schtasks.exe is natively found in `C:\Windows\system32` - and `C:\Windows\syswow64`.\ The following DLL(s) are loaded when schtasks.exe or - TaskService is launched -`taskschd.dll`. If found loaded by another process, it - is possible a scheduled task is being registered within that process context in - memory.\ Upon triage, identify the task scheduled source. Was it schtasks.exe or - was it via TaskService. Review the job created and the Command to be executed. Capture - any artifacts on disk and review. Identify any parallel processes within the same - timeframe to identify source. +description: The following analytic utilizes Windows Security EventCode 4698, which indicates the creation of a scheduled task on a Windows system. The purpose of this query is to identify suspicious tasks that have been registered using either schtasks.exe or TaskService and involve executing a command from a user-writable file path. + When this analytic is triggered, it provides information such as the first and last registration time of the task, the command to be executed, the task name, author, and whether it is set as hidden or not. It is worth noting that schtasks.exe is commonly located in C:\Windows\system32 and C:\Windows\syswow64, and it loads the taskschd.dll DLL when launched. If this DLL is loaded by another process, it suggests that a scheduled task may be registered within that process's context in memory. + + During the triage process, it is essential to identify the source of the scheduled task creation, whether it was initiated through schtasks.exe or TaskService. The analyst should review the task that was created, including the command to be executed. Additionally, any artifacts on disk related to the task should be captured and analyzed. It is also recommended to identify any parallel processes that occurred within the same timeframe to determine the source of the task creation. + + By conducting this triage process, security analysts can gain insights into potentially malicious or suspicious scheduled tasks, helping them identify the source and assess the impact of the task. This analytic is valuable for a Security Operations Center (SOC) as it can detect unauthorized or suspicious activity that could indicate an attacker's attempt to establish persistence or execute unauthorized commands on the system. data_source: - Windows Security 4698 search: '`wineventlog_security` EventCode=4698 | xmlkv Message | search Command IN diff --git a/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml b/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml index c06842ca8c..376c9a6d68 100644 --- a/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml +++ b/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml @@ -5,14 +5,15 @@ date: '2023-04-05' author: Michael Haag, Splunk status: production type: Hunting -description: The following hunting analytic assists with identifying suspicious tasks - that have been registered and ran in Windows using EventID 200 (action run) and - 201 (action completed). It is recommended to filter based on ActionName by specifying - specific paths not used in your environment. After some basic tuning, this may be - effective in capturing evasive ways to register tasks on Windows. Review parallel - events related to tasks being scheduled. EventID 106 will generate when a new task - is generated, however, that does not mean it ran. Capture any files on disk and - analyze. +description: The following hunting analytic aims to identify suspicious tasks that have been registered and executed in Windows using EventID 200 (action run) and 201 (action completed) from the Windows Task Scheduler logs. This analytic helps detect evasive techniques used to register tasks on Windows systems. It is recommended to filter the results based on the ActionName field by specifying specific paths that are not commonly used in your environment. + + After implementing this analytic, it is important to review parallel events related to the scheduled tasks. EventID 106 will be generated when a new task is created, but it does not necessarily mean that the task has been executed. Analysts should capture any files on disk associated with the task and perform further analysis. + + To implement this analytic, Task Scheduler logs must be collected. This can be done by adding a stanza for [WinEventLog://Microsoft-Windows-TaskScheduler/Operational] in the inputs.conf file and setting renderXml=false. It is worth noting that not translating the logs into XML may require specific extraction of items from the Message field. + + False positives are expected with this analytic, so it is important to filter the results based on the paths or specific keywords of interest in the ActionName field to reduce noise. + + Identifying and analyzing scheduled tasks that have been executed is crucial for a Security Operations Center (SOC) as it helps detect potentially malicious or unauthorized activities on Windows systems. By capturing and investigating the associated events, analysts can uncover signs of persistence mechanisms, unauthorized code execution, or suspicious behaviors. The impact of a true positive could range from unauthorized access to data exfiltration or the execution of malicious payloads. data_source: [] search: '`wineventlog_task_scheduler` EventCode IN ("200","201") | rename ComputerName as dest | stats count min(_time) as firstTime max(_time) as lastTime by Message diff --git a/dev/endpoint/linux_possible_append_command_to_at_allow_config_file.yml b/dev/endpoint/linux_possible_append_command_to_at_allow_config_file.yml index 65bfe8cd76..694b56c795 100644 --- a/dev/endpoint/linux_possible_append_command_to_at_allow_config_file.yml +++ b/dev/endpoint/linux_possible_append_command_to_at_allow_config_file.yml @@ -5,14 +5,9 @@ date: '2022-05-26' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic looks for suspicious commandline that may use to append - user entry to /etc/at.allow or /etc/at.deny. These 2 files are commonly abused by - malware, adversaries or red teamers to persist on the targeted or compromised host. - These config file can restrict user that can only execute at application (another - schedule task application in linux). attacker can create a user or add the compromised - username to that config file to execute at to schedule it malicious code. This anomaly - detection can be a good indicator to investigate further the entry in created config - file and who created it to verify if it is a false positive. +description: The following analytic is designed to identify suspicious command lines that may append user entries to either /etc/at.allow or /etc/at.deny. These files can be exploited by malicious actors for persistence on a compromised Linux host by altering permissions for scheduled tasks using the at command. + + In this context, an attacker can create a user or add an existing user to these configuration files to execute their malicious code through scheduled tasks. The detection of such anomalous behavior can serve as an effective indicator warranting further investigation to validate if the activity is indeed malicious or a false positive. data_source: - Sysmon Event ID 1 search: @@ -27,8 +22,7 @@ how_to_implement: To successfully implement this search, you need to be ingestin logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -known_false_positives: Administrator or network operator can use this commandline - for automation purposes. Please update the filter macros to remove false positives. +known_false_positives: False positives may occur when administrators or network operators use similar command lines for legitimate automation purposes. Therefore, it is recommended to update filter macros to reduce such instances. references: - https://linuxize.com/post/at-command-in-linux/ - https://attack.mitre.org/techniques/T1053/001/ From 2b38671d46fbc4a6ee67c25408e0c1abd33a3830 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Thu, 22 Jun 2023 16:14:18 -0700 Subject: [PATCH 4/6] new_line_backslash --- .../linux_at_allow_config_file_creation.yml | 2 +- .../linux_at_application_execution.yml | 4 ++-- .../linux_edit_cron_table_parameter.yml | 8 ++++---- ..._cronjob_entry_on_existing_cronjob_file.yml | 4 ++-- ...ssible_cronjob_modification_with_editor.yml | 8 ++++---- ...rvice_file_created_in_systemd_directory.yml | 2 +- .../endpoint/linux_service_restarted.yml | 5 +++-- ...sible_lateral_movement_powershell_spawn.yml | 2 +- ...hedule_task_with_http_command_arguments.yml | 6 +++--- ...dule_task_with_rundll32_command_trigger.yml | 6 +++--- ...sk_creation_on_remote_endpoint_using_at.yml | 2 +- ...heduled_task_deleted_or_created_via_cmd.yml | 3 ++- .../endpoint/short_lived_scheduled_task.yml | 6 +++--- ...us_scheduled_task_from_public_directory.yml | 2 +- .../windows_hidden_schedule_task_settings.yml | 2 +- .../windows_powershell_scheduletask.yml | 2 +- .../windows_registry_delete_task_sd.yml | 2 +- .../windows_scheduled_task_created_via_xml.yml | 2 +- ..._scheduled_task_with_highest_privileges.yml | 2 +- .../windows_schtasks_create_run_as_system.yml | 2 +- ...t_scheduled_task_created_to_spawn_shell.yml | 6 +++--- ...heduled_task_created_within_public_path.yml | 9 +++++---- ...ows_task_scheduler_event_action_started.yml | 8 ++++---- stories/scheduled_tasks.yml | 18 ++++++++++-------- 24 files changed, 59 insertions(+), 54 deletions(-) diff --git a/detections/endpoint/linux_at_allow_config_file_creation.yml b/detections/endpoint/linux_at_allow_config_file_creation.yml index f07b2349ea..60f7d65ee9 100644 --- a/detections/endpoint/linux_at_allow_config_file_creation.yml +++ b/detections/endpoint/linux_at_allow_config_file_creation.yml @@ -5,7 +5,7 @@ date: '2021-12-17' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the creation of suspicious configuration files, /etc/at.allow or /etc/at.deny, in Linux. These files are commonly abused by malware, adversaries, or red teamers to establish persistence on compromised hosts. The configuration files determine which users are allowed to execute the "at" application, which is used for scheduling tasks in Linux. Attackers can add their user or a compromised username to these files to execute malicious code using "at." It's important to consider potential false positives as administrators or network operators may create these files for legitimate automation purposes. Adjust the filter macros to minimize false positives. +description: The following analytic detects the creation of suspicious configuration files, /etc/at.allow or /etc/at.deny, in Linux. These files are commonly abused by malware, adversaries, or red teamers to establish persistence on compromised hosts. The configuration files determine which users are allowed to execute the "at" application, which is used for scheduling tasks in Linux. Attackers can add their user or a compromised username to these files to execute malicious code using "at." It's important to consider potential false positives as administrators or network operators may create these files for legitimate automation purposes. Adjust the filter macros to minimize false positives.\ Identifying the creation of these configuration files is valuable for a SOC as it indicates potential unauthorized activities or an attacker attempting to establish persistence. If a true positive is found, further investigation is necessary to examine the contents of the created configuration file and determine the source of creation. The impact of a true positive can vary but could result in unauthorized execution of malicious code, data theft, or other detrimental consequences. Analysts should review the file path, creation time, and associated processes to assess the extent of the attack and initiate appropriate response actions. data_source: diff --git a/detections/endpoint/linux_at_application_execution.yml b/detections/endpoint/linux_at_application_execution.yml index d79f29a79a..860e22b911 100644 --- a/detections/endpoint/linux_at_application_execution.yml +++ b/detections/endpoint/linux_at_application_execution.yml @@ -5,9 +5,9 @@ date: '2022-05-26' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the execution of the "At" application in Linux, which can be used by attackers to create persistence entries on a compromised host. The "At" application can be used for automation purposes by administrators or network operators, so the filter macros should be updated to remove false positives. If a true positive is found, it suggests an attacker is trying to maintain access to the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. To implement this analytic, ensure you are ingesting logs with the required fields from your endpoints into the Endpoint datamodel. When a true positive is detected, it suggests that an attacker is attempting to establish persistence or deliver additional malicious payloads by leveraging the "At" application. This behavior can lead to data theft, ransomware attacks, or other damaging outcomes. +description: The following analytic detects the execution of the "At" application in Linux, which can be used by attackers to create persistence entries on a compromised host. The "At" application can be used for automation purposes by administrators or network operators, so the filter macros should be updated to remove false positives. If a true positive is found, it suggests an attacker is trying to maintain access to the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. To implement this analytic, ensure you are ingesting logs with the required fields from your endpoints into the Endpoint datamodel. When a true positive is detected, it suggests that an attacker is attempting to establish persistence or deliver additional malicious payloads by leveraging the "At" application. This behavior can lead to data theft, ransomware attacks, or other damaging outcomes.\ - During triage, the SOC analyst should review the context surrounding the execution of the "At" application. This includes identifying the user, the parent process responsible for invoking the application, and the specific command-line arguments used. It is important to consider whether the execution is expected behavior by an administrator or network operator for legitimate automation purposes. + During triage, the SOC analyst should review the context surrounding the execution of the "At" application. This includes identifying the user, the parent process responsible for invoking the application, and the specific command-line arguments used. It is important to consider whether the execution is expected behavior by an administrator or network operator for legitimate automation purposes.\ The presence of "At" application execution may indicate an attacker's attempt to maintain unauthorized access to the environment. Immediate investigation and response are necessary to mitigate further risks, identify the attacker's intentions, and prevent potential harm to the organization. data_source: diff --git a/detections/endpoint/linux_edit_cron_table_parameter.yml b/detections/endpoint/linux_edit_cron_table_parameter.yml index 4949118f79..a426c53022 100644 --- a/detections/endpoint/linux_edit_cron_table_parameter.yml +++ b/detections/endpoint/linux_edit_cron_table_parameter.yml @@ -5,13 +5,13 @@ date: '2021-12-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects the suspicious editing of cron jobs in Linux via the crontab command-line parameter. This tactic could be used by adversaries or malware to schedule execution of their malicious code, potentially leading to system compromise or unauthorized persistent access. It pinpoints this activity by monitoring command-line executions involving 'crontab' and the edit parameter (-e). +description: The following analytic detects the suspicious editing of cron jobs in Linux via the crontab command-line parameter. This tactic could be used by adversaries or malware to schedule execution of their malicious code, potentially leading to system compromise or unauthorized persistent access. It pinpoints this activity by monitoring command-line executions involving 'crontab' and the edit parameter (-e).\ - Recognizing such activity is vital for a SOC as cron job manipulations might signal unauthorized persistence attempts or scheduled malicious actions, potentially resulting in substantial harm. A true positive signifies an active threat, with implications ranging from unauthorized access to broader network compromise. + Recognizing such activity is vital for a SOC as cron job manipulations might signal unauthorized persistence attempts or scheduled malicious actions, potentially resulting in substantial harm. A true positive signifies an active threat, with implications ranging from unauthorized access to broader network compromise.\ - To implement this analytic, logs capturing process name, parent process, and command-line executions from your endpoints must be ingested. + To implement this analytic, logs capturing process name, parent process, and command-line executions from your endpoints must be ingested.\ - Known false positives could stem from valid administrative tasks or automation processes using crontab. To reduce these, fine-tune the filter macros according to the benign activities within your environment. These adjustments ensure legitimate actions aren't mistaken for threats, allowing analysts to focus on genuine potential risks. + Known false positives could stem from valid administrative tasks or automation processes using crontab. To reduce these, fine-tune the filter macros according to the benign activities within your environment. These adjustments ensure legitimate actions aren't mistaken for threats, allowing analysts to focus on genuine potential risks.\ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) diff --git a/detections/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml b/detections/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml index b8a98a81b9..0df7fc5f30 100644 --- a/detections/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml +++ b/detections/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml @@ -5,9 +5,9 @@ date: '2021-12-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic is designed to detect potential tampering with cronjob files on a Linux system. It specifically searches for command lines that may be used to append code to existing cronjob files, a technique often employed by adversaries, malware, and red teamers for persistence or privilege escalation. Altering existing or sometimes normal cronjob script files allows malicious code to be executed automatically. +description: The following analytic is designed to detect potential tampering with cronjob files on a Linux system. It specifically searches for command lines that may be used to append code to existing cronjob files, a technique often employed by adversaries, malware, and red teamers for persistence or privilege escalation. Altering existing or sometimes normal cronjob script files allows malicious code to be executed automatically.\ - The analytic operates by monitoring logs for specific process names, parent processes, and command-line executions from your endpoints. It specifically checks for any 'echo' command which modifies files in directories commonly associated with cron jobs such as '/etc/cron*', '/var/spool/cron/', and '/etc/anacrontab'. If such activity is detected, an alert is triggered. + The analytic operates by monitoring logs for specific process names, parent processes, and command-line executions from your endpoints. It specifically checks for any 'echo' command which modifies files in directories commonly associated with cron jobs such as '/etc/cron*', '/var/spool/cron/', and '/etc/anacrontab'. If such activity is detected, an alert is triggered.\ This behavior is worth identifying for a SOC because malicious cron jobs can lead to system compromises and unauthorized data access, impacting business operations and data integrity. data_source: diff --git a/detections/endpoint/linux_possible_cronjob_modification_with_editor.yml b/detections/endpoint/linux_possible_cronjob_modification_with_editor.yml index 9c47f8f129..959cdb9076 100644 --- a/detections/endpoint/linux_possible_cronjob_modification_with_editor.yml +++ b/detections/endpoint/linux_possible_cronjob_modification_with_editor.yml @@ -5,12 +5,12 @@ date: '2021-12-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects potential unauthorized modifications to Linux cronjobs using text editors like "nano", "vi" or "vim". It identifies this behavior by tracking command-line executions that interact with paths related to cronjob configuration, a common Linux scheduling utility. Cronjob files may be manipulated by attackers for privilege escalation or persistent access, making such changes critical to monitor. - The identified behavior is significant for a Security Operations Center (SOC) as it could indicate an ongoing attempt at establishing persistent access or privilege escalation, leading to data breaches, system compromise, or other malicious activities. +description: The following analytic detects potential unauthorized modifications to Linux cronjobs using text editors like "nano", "vi" or "vim". It identifies this behavior by tracking command-line executions that interact with paths related to cronjob configuration, a common Linux scheduling utility. Cronjob files may be manipulated by attackers for privilege escalation or persistent access, making such changes critical to monitor.\ + The identified behavior is significant for a Security Operations Center (SOC) as it could indicate an ongoing attempt at establishing persistent access or privilege escalation, leading to data breaches, system compromise, or other malicious activities.\ - In case of a true positive, the impact could be severe. An attacker with escalated privileges or persistent access could carry out damaging actions, such as data theft, sabotage, or further network penetration. + In case of a true positive, the impact could be severe. An attacker with escalated privileges or persistent access could carry out damaging actions, such as data theft, sabotage, or further network penetration.\ - To implement this analytic, ensure ingestion of logs tracking process name, parent process, and command-line executions from your endpoints. Utilize the Add-on for Linux Sysmon from Splunkbase if you're using Sysmon. + To implement this analytic, ensure ingestion of logs tracking process name, parent process, and command-line executions from your endpoints. Utilize the Add-on for Linux Sysmon from Splunkbase if you're using Sysmon.\ Known false positives include legitimate administrative tasks, as these commands may also be used for benign purposes. Careful tuning and filtering based on known benign activity in your environment can minimize these instances. data_source: diff --git a/detections/endpoint/linux_service_file_created_in_systemd_directory.yml b/detections/endpoint/linux_service_file_created_in_systemd_directory.yml index f5007f7b49..833076d75f 100644 --- a/detections/endpoint/linux_service_file_created_in_systemd_directory.yml +++ b/detections/endpoint/linux_service_file_created_in_systemd_directory.yml @@ -5,7 +5,7 @@ date: '2021-12-20' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic is designed to detect suspicious file creation within the systemd timer directory on Linux platforms. Systemd is a system and service manager for Linux, similar to the combination of wininit.exe and services.exe on Windows. This process initializes a Linux system and starts defined services in unit files. Malicious actors, such as adversaries, malware, or red teamers, can exploit this feature by embedding a systemd service file for persistence on the targeted or compromised host. +description: The following analytic is designed to detect suspicious file creation within the systemd timer directory on Linux platforms. Systemd is a system and service manager for Linux, similar to the combination of wininit.exe and services.exe on Windows. This process initializes a Linux system and starts defined services in unit files. Malicious actors, such as adversaries, malware, or red teamers, can exploit this feature by embedding a systemd service file for persistence on the targeted or compromised host.\ The analytic works by monitoring logs with file name, file path, and process GUID data from your endpoints. If a .service file is created in certain systemd directories, the analytic triggers an alert. This behavior is significant for a Security Operations Center (SOC) as it may indicate a persistent threat within the network, with a potential impact of system compromise or data exfiltration. data_source: diff --git a/detections/endpoint/linux_service_restarted.yml b/detections/endpoint/linux_service_restarted.yml index 856cfb8479..b9f0b94f2a 100644 --- a/detections/endpoint/linux_service_restarted.yml +++ b/detections/endpoint/linux_service_restarted.yml @@ -5,8 +5,9 @@ date: '2023-04-14' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the restarting or re-enabling of services in the Linux platform. It focuses on the use of the systemctl or service tools for executing these actions. Adversaries may leverage this technique to repeatedly execute malicious payloads as a form of persistence. Linux hosts typically start services during boot to perform background system functions. However, administrators may also create legitimate services for specific tools or applications as part of task automation. In such cases, it is recommended to verify the service path of the registered script or executable and identify the creator of the service for further validation. - It's important to be aware that this analytic may generate false positives as administrators or network operators may use the same command-line for legitimate automation purposes. Filter macros should be updated accordingly to minimize false positives. +description: The following analytic detects the restarting or re-enabling of services in the Linux platform. It focuses on the use of the systemctl or service tools for executing these actions. Adversaries may leverage this technique to repeatedly execute malicious payloads as a form of persistence. Linux hosts typically start services during boot to perform background system functions. However, administrators may also create legitimate services for specific tools or applications as part of task automation. In such cases, it is recommended to verify the service path of the registered script or executable and identify the creator of the service for further validation.\ + + It's important to be aware that this analytic may generate false positives as administrators or network operators may use the same command-line for legitimate automation purposes. Filter macros should be updated accordingly to minimize false positives.\ Identifying restarted or re-enabled services is valuable for a SOC as it can indicate potential malicious activities attempting to maintain persistence or execute unauthorized actions on Linux systems. By detecting and investigating these events, security analysts can respond promptly to mitigate risks and prevent further compromise. The impact of a true positive can range from unauthorized access to data destruction or other damaging outcomes. data_source: diff --git a/detections/endpoint/possible_lateral_movement_powershell_spawn.yml b/detections/endpoint/possible_lateral_movement_powershell_spawn.yml index 903577cce8..1adcaca163 100644 --- a/detections/endpoint/possible_lateral_movement_powershell_spawn.yml +++ b/detections/endpoint/possible_lateral_movement_powershell_spawn.yml @@ -5,7 +5,7 @@ date: '2023-04-14' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic is designed to identify possible lateral movement attacks that involve the spawning of a PowerShell process as a child or grandchild process of commonly abused processes. These processes include services.exe, wmiprsve.exe, svchost.exe, wsmprovhost.exe, and mmc.exe. +description: The following analytic is designed to identify possible lateral movement attacks that involve the spawning of a PowerShell process as a child or grandchild process of commonly abused processes. These processes include services.exe, wmiprsve.exe, svchost.exe, wsmprovhost.exe, and mmc.exe.\ Such behavior is indicative of legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management, and the DCOM protocol being abused to start a process on a remote endpoint. This behavior is often seen during lateral movement techniques where adversaries or red teams abuse these services for lateral movement and remote code execution. data_source: diff --git a/detections/endpoint/schedule_task_with_http_command_arguments.yml b/detections/endpoint/schedule_task_with_http_command_arguments.yml index 1160a511c9..0d58bf808f 100644 --- a/detections/endpoint/schedule_task_with_http_command_arguments.yml +++ b/detections/endpoint/schedule_task_with_http_command_arguments.yml @@ -5,11 +5,11 @@ date: '2023-04-05' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the registration of suspicious tasks on Windows using the Windows Security EventCode 4698, "A scheduled task was created." It specifically looks for tasks registered through schtasks.exe or TaskService that have command arguments containing the string "HTTP." This behavior is often associated with malware or attacks that utilize Living off the Land binaries (lolbins) to download additional files or payloads to the compromised machine. +description: The following analytic detects the registration of suspicious tasks on Windows using the Windows Security EventCode 4698, "A scheduled task was created." It specifically looks for tasks registered through schtasks.exe or TaskService that have command arguments containing the string "HTTP." This behavior is often associated with malware or attacks that utilize Living off the Land binaries (lolbins) to download additional files or payloads to the compromised machine.\ - The search returns information about the task, such as the task name, command, author, enabled status, hidden status, and arguments. Upon triage, it is important to identify the source of the scheduled task, whether it was registered through schtasks.exe or TaskService. Review the details of the created task and the command to be executed. Capture relevant artifacts on disk and examine them. Additionally, identify any parallel processes occurring within the same timeframe to determine the source of the attack. + The search returns information about the task, such as the task name, command, author, enabled status, hidden status, and arguments. Upon triage, it is important to identify the source of the scheduled task, whether it was registered through schtasks.exe or TaskService. Review the details of the created task and the command to be executed. Capture relevant artifacts on disk and examine them. Additionally, identify any parallel processes occurring within the same timeframe to determine the source of the attack.\ - Implementing this analytic requires ingesting logs with information about task schedules, specifically Windows Security Log EventCode 4698, from your endpoints. It is recommended to tune and filter known instances of task schedules used in your environment to minimize false positives. + Implementing this analytic requires ingesting logs with information about task schedules, specifically Windows Security Log EventCode 4698, from your endpoints. It is recommended to tune and filter known instances of task schedules used in your environment to minimize false positives.\ Detecting the registration of suspicious tasks with HTTP command arguments is valuable for a SOC as it indicates potential malicious activity or an attempt to establish persistence on the system. If a true positive is found, further investigation is warranted to analyze the nature and purpose of the scheduled task, identify any downloaded files or payloads, and mitigate the associated risks. The impact of a true positive can vary but may include data exfiltration, malware propagation, or unauthorized access to sensitive information. data_source: diff --git a/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml b/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml index d0ddb06765..095c05e3bc 100644 --- a/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml +++ b/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml @@ -5,11 +5,11 @@ date: '2021-04-19' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the creation of suspicious tasks in Windows, specifically tasks using the rundll32 command. It's implemented using Windows Security EventCode 4698 for A scheduled task was created, and looks for tasks executed either via schtasks.exe or TaskService. This behavior is worth identifying as it is commonly used by malware, such as TrickBot, that leverages rundll32 to execute its downloader. +description: The following analytic detects the creation of suspicious tasks in Windows, specifically tasks using the rundll32 command. It's implemented using Windows Security EventCode 4698 for A scheduled task was created, and looks for tasks executed either via schtasks.exe or TaskService. This behavior is worth identifying as it is commonly used by malware, such as TrickBot, that leverages rundll32 to execute its downloader.\ - If a true positive is found, it suggests an attacker is trying to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. + If a true positive is found, it suggests an attacker is trying to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes.\ - To implement this analytic, ensure you are ingesting logs with task schedule information from your endpoints. Be aware of potential false positives - legitimate uses of Task Scheduler in your environment may cause benign activities to be flagged. + To implement this analytic, ensure you are ingesting logs with task schedule information from your endpoints. Be aware of potential false positives - legitimate uses of Task Scheduler in your environment may cause benign activities to be flagged.\ Upon triage, review the scheduled task's source and the command to be executed. Capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks. data_source: diff --git a/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml b/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml index 3951396b6d..2c18760f2d 100644 --- a/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml +++ b/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml @@ -5,7 +5,7 @@ date: '2021-11-11' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the creation of suspicious tasks on a remote Windows endpoint using the at.exe command with command-line arguments. This technique is commonly used by red teams and adversaries for lateral movement and remote code execution. The at.exe binary leverages the deprecated AT protocol, which may still work on previous versions of Windows. Attackers can enable this protocol on demand by modifying a system registry key. It is important to consider potential false positives. While administrators may create scheduled tasks on remote systems, this activity is typically limited to a small set of hosts or users. +description: The following analytic detects the creation of suspicious tasks on a remote Windows endpoint using the at.exe command with command-line arguments. This technique is commonly used by red teams and adversaries for lateral movement and remote code execution. The at.exe binary leverages the deprecated AT protocol, which may still work on previous versions of Windows. Attackers can enable this protocol on demand by modifying a system registry key. It is important to consider potential false positives. While administrators may create scheduled tasks on remote systems, this activity is typically limited to a small set of hosts or users.\ Identifying the creation of scheduled tasks on remote endpoints is crucial for a Security Operations Center (SOC) because it indicates potential unauthorized activity or an attacker attempting to establish persistence or execute malicious code. The impact of a true positive can be significant, leading to unauthorized access, data theft, or other damaging outcomes. During triage, investigate the source and purpose of the scheduled task, inspect relevant on-disk artifacts, and analyze concurrent processes to identify the extent of the attack and take appropriate response actions. data_source: diff --git a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml index 9c3b8abe8a..11618648ba 100644 --- a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml +++ b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml @@ -5,7 +5,8 @@ date: '2023-04-05' author: Bhavin Patel, Splunk status: production type: TTP -description: The following analytic detects the creation or deletion of a scheduled task using the schtasks.exe command-line tool with the 'create' or 'delete' flags. This behavior has been associated with threat actors like Dragonfly and the SUNBURST attack against SolarWinds. It replaces the previous analytic related to "Scheduled Task used in BadRabbit Ransomware." +description: The following analytic detects the creation or deletion of a scheduled task using the schtasks.exe command-line tool with the 'create' or 'delete' flags. This behavior has been associated with threat actors like Dragonfly and the SUNBURST attack against SolarWinds. It replaces the previous analytic related to "Scheduled Task used in BadRabbit Ransomware."\ + Identifying the creation or deletion of scheduled tasks via the command line is significant for a SOC as it may indicate malicious activity, such as the establishment of persistence or unauthorized changes to critical systems. A true positive suggests potential compromise or an ongoing attack, highlighting the need for immediate investigation and response to mitigate the impact on the affected systems. data_source: - Sysmon Event ID 1 diff --git a/detections/endpoint/short_lived_scheduled_task.yml b/detections/endpoint/short_lived_scheduled_task.yml index d9645b348e..312e026365 100644 --- a/detections/endpoint/short_lived_scheduled_task.yml +++ b/detections/endpoint/short_lived_scheduled_task.yml @@ -5,11 +5,11 @@ date: '2021-12-03' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic utilizes Windows Security EventCode 4698, "A scheduled task was created," and EventCode 4699, "A scheduled task was deleted," to identify scheduled tasks that are created and deleted within a short time frame of less than 30 seconds. This behavior is indicative of a potential lateral movement attack where the Task Scheduler is abused to achieve code execution. Both red teams and adversaries may exploit the Task Scheduler for lateral movement and remote code execution. +description: The following analytic utilizes Windows Security EventCode 4698, "A scheduled task was created," and EventCode 4699, "A scheduled task was deleted," to identify scheduled tasks that are created and deleted within a short time frame of less than 30 seconds. This behavior is indicative of a potential lateral movement attack where the Task Scheduler is abused to achieve code execution. Both red teams and adversaries may exploit the Task Scheduler for lateral movement and remote code execution.\ - To implement this analytic, ensure that you are ingesting Windows Security Event Logs with EventCode 4698 enabled. Additionally, the Windows TA (Technology Add-on) is required to parse and extract the necessary information from the logs. + To implement this analytic, ensure that you are ingesting Windows Security Event Logs with EventCode 4698 enabled. Additionally, the Windows TA (Technology Add-on) is required to parse and extract the necessary information from the logs.\ - It's important to note that while uncommon, legitimate applications may create and delete scheduled tasks within a short duration. Analysts should filter the results based on the specific context and environment to reduce false positives. + It's important to note that while uncommon, legitimate applications may create and delete scheduled tasks within a short duration. Analysts should filter the results based on the specific context and environment to reduce false positives.\ Identifying short-lived scheduled tasks is valuable for a SOC as it can indicate malicious activities attempting to move laterally or execute unauthorized code on Windows systems. By detecting and investigating these events, security analysts can respond promptly to prevent further compromise and mitigate potential risks. The impact of a true positive could range from unauthorized access to data exfiltration or the execution of malicious payloads. data_source: diff --git a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml index 3786991cbd..9c6c84890d 100644 --- a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml +++ b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml @@ -5,7 +5,7 @@ date: '2021-03-01' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic, "Suspicious Scheduled Task from Public Directory", detects the registration of scheduled tasks aimed to execute a binary or script from public directories, a behavior often associated with malware deployment. It utilizes the Sysmon Event ID 1 data source, searching for instances where schtasks.exe is connected with the directories users\public, \programdata\, or \windows\temp and involves the /create command. +description: The following analytic, "Suspicious Scheduled Task from Public Directory", detects the registration of scheduled tasks aimed to execute a binary or script from public directories, a behavior often associated with malware deployment. It utilizes the Sysmon Event ID 1 data source, searching for instances where schtasks.exe is connected with the directories users\public, \programdata\, or \windows\temp and involves the /create command.\ The registration of such scheduled tasks in public directories could suggest that an attacker is trying to maintain persistence or execute malicious scripts. If confirmed as a true positive, this could lead to data compromise, unauthorized access, and potential lateral movement within the network. data_source: diff --git a/detections/endpoint/windows_hidden_schedule_task_settings.yml b/detections/endpoint/windows_hidden_schedule_task_settings.yml index a3ece4ccf5..0a72b26d9c 100644 --- a/detections/endpoint/windows_hidden_schedule_task_settings.yml +++ b/detections/endpoint/windows_hidden_schedule_task_settings.yml @@ -5,7 +5,7 @@ date: '2023-04-14' author: Teoderick Contreras, Splunk status: production type: TTP -description: hidden settings. Such behavior is indicative of certain malware, such as Industroyer2, or attacks leveraging living-off-the-land binaries (LOLBINs) to download additional payloads to a compromised machine. This analytic relies on the Windows Security EventCode 4698, indicating the creation of a scheduled task. The search focuses on identifying instances where the 'Hidden' setting is enabled, signaling potential nefarious activity. To implement this search, you need to ingest logs with task scheduling details from your endpoints. As false positives are currently unknown, it is advised to tune and filter based on the known use of task scheduling in your environment. This analytic provides crucial visibility into stealthy, potentially harmful scheduled tasks on Windows systems. +description: The following analytic detects creation of hidden scheculed tasks such that it this task is not visible on the UI. Such behavior is indicative of certain malware, such as Industroyer2, or attacks leveraging living-off-the-land binaries (LOLBINs) to download additional payloads to a compromised machine. This analytic relies on the Windows Security EventCode 4698, indicating the creation of a scheduled task. The search focuses on identifying instances where the 'Hidden' setting is enabled, signaling potential nefarious activity. To implement this search, you need to ingest logs with task scheduling details from your endpoints. As false positives are currently unknown, it is advised to tune and filter based on the known use of task scheduling in your environment. This analytic provides crucial visibility into stealthy, potentially harmful scheduled tasks on Windows systems. data_source: - Windows Security 4698 search: '`wineventlog_security` EventCode=4698 | xmlkv Message | search Hidden = true diff --git a/detections/endpoint/windows_powershell_scheduletask.yml b/detections/endpoint/windows_powershell_scheduletask.yml index 8e257b9381..3861d149f3 100644 --- a/detections/endpoint/windows_powershell_scheduletask.yml +++ b/detections/endpoint/windows_powershell_scheduletask.yml @@ -1,4 +1,4 @@ -name: 'Windows PowerShell ScheduleTask' +name: Windows PowerShell ScheduleTask id: ddf82fcb-e9ee-40e3-8712-a50b5bf323fc version: 1 date: '2023-06-12' diff --git a/detections/endpoint/windows_registry_delete_task_sd.yml b/detections/endpoint/windows_registry_delete_task_sd.yml index 52f1c0ac51..5d9e8429da 100644 --- a/detections/endpoint/windows_registry_delete_task_sd.yml +++ b/detections/endpoint/windows_registry_delete_task_sd.yml @@ -10,7 +10,7 @@ description: The following analytic identifies a process attempting to delete a occur from a non-standard process running and may not come from reg.exe. This particular behavior will remove the actual Task Name from the Task Scheduler GUI and from the command-line query - schtasks.exe /query. In addition, in order to perform this - action, the user context will need to be SYSTEM. + action, the user context will need to be SYSTEM.\ Identifying the deletion of a scheduled task's Security Descriptor from the registry is significant for a SOC as it may indicate malicious activity attempting to remove evidence of a scheduled task, potentially for defense evasion purposes. If a true positive is detected, it suggests an attacker with privileged access attempting to remove traces of their activities, which can have a significant impact on the security and functionality of affected systems. Immediate investigation and response are required to mitigate further risks and preserve the integrity of the environment. data_source: - Sysmon Event ID 13 diff --git a/detections/endpoint/windows_scheduled_task_created_via_xml.yml b/detections/endpoint/windows_scheduled_task_created_via_xml.yml index ea5aae3439..f9ce792f01 100644 --- a/detections/endpoint/windows_scheduled_task_created_via_xml.yml +++ b/detections/endpoint/windows_scheduled_task_created_via_xml.yml @@ -7,7 +7,7 @@ status: production type: TTP data_source: - Sysmon Event ID 1 -description: The following analytic detects the creation of suspicious scheduled tasks in Windows, specifically tasks created using schtasks.exe with the -create flag and an XML parameter in the command-line. This technique is commonly employed by threat actors, adversaries, and red teamers to establish persistence or achieve privilege escalation on targeted hosts. Notably, malware like Trickbot and Winter-Vivern have been observed using XML files to create scheduled tasks. Monitoring and investigating this activity is crucial to mitigate potential security risks. It is important to be aware that scripts or administrators may trigger this analytic, leading to potential false positives. To minimize false positives, adjust the filter based on the parent process or application. +description: The following analytic detects the creation of suspicious scheduled tasks in Windows, specifically tasks created using schtasks.exe with the -create flag and an XML parameter in the command-line. This technique is commonly employed by threat actors, adversaries, and red teamers to establish persistence or achieve privilege escalation on targeted hosts. Notably, malware like Trickbot and Winter-Vivern have been observed using XML files to create scheduled tasks. Monitoring and investigating this activity is crucial to mitigate potential security risks. It is important to be aware that scripts or administrators may trigger this analytic, leading to potential false positives. To minimize false positives, adjust the filter based on the parent process or application.\ When a true positive is detected, it suggests an attacker's attempt to gain persistence or execute additional malicious payloads, potentially resulting in data theft, ransomware, or other damaging outcomes. During triage, review the source of the scheduled task, the command to be executed, and capture any relevant on-disk artifacts. Analyze concurrent processes to identify the source of the attack. This analytic enables analysts to detect and respond to potential threats early, mitigating the associated risks effectively. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes diff --git a/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml b/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml index 455b74e9f3..8d58aebdf3 100644 --- a/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml +++ b/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml @@ -5,7 +5,7 @@ date: '2023-01-26' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the creation of a new task with the highest execution privilege via Schtasks.exe. This tactic is often observed in AsyncRAT attacks, where the scheduled task is used for persistence and privilege escalation. AsyncRAT sets up a scheduled task with parameters '/rl' and 'highest', triggering this technique. It's a strong indicator of potential malware or adversaries seeking to establish persistence and escalate privileges through scheduled tasks. This is crucial for a Security Operations Center (SOC) as it can prevent unauthorized system access and potential data breaches. +description: The following analytic detects the creation of a new task with the highest execution privilege via Schtasks.exe. This tactic is often observed in AsyncRAT attacks, where the scheduled task is used for persistence and privilege escalation. AsyncRAT sets up a scheduled task with parameters '/rl' and 'highest', triggering this technique. It's a strong indicator of potential malware or adversaries seeking to establish persistence and escalate privileges through scheduled tasks. This is crucial for a Security Operations Center (SOC) as it can prevent unauthorized system access and potential data breaches.\ The analytic works by monitoring logs for process name, parent process, and command-line executions. In the presence of the '*/rl ' and ' highest *' commands in a schtasks.exe process, an alert is triggered. data_source: diff --git a/detections/endpoint/windows_schtasks_create_run_as_system.yml b/detections/endpoint/windows_schtasks_create_run_as_system.yml index b6c817ed84..b14fc05586 100644 --- a/detections/endpoint/windows_schtasks_create_run_as_system.yml +++ b/detections/endpoint/windows_schtasks_create_run_as_system.yml @@ -5,7 +5,7 @@ date: '2022-02-07' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies the creation of a new task to start and run as an elevated user - SYSTEM using Schtasks.exe. This behavior is commonly used by adversaries to spawn a process in an elevated state. If a true positive is found, it suggests an attacker is attempting to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. To implement this analytic, ensure you are ingesting information on processes that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. False positives will be limited to legitimate applications creating a task to run as SYSTEM. Filter as needed based on parent process, or modify the query to have world writeable paths to restrict it. Upon triage, review the scheduled task's source and the command to be executed. Capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks. +description: The following analytic identifies the creation of a new task to start and run as an elevated user - SYSTEM using Schtasks.exe. This behavior is commonly used by adversaries to spawn a process in an elevated state. If a true positive is found, it suggests an attacker is attempting to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. Upon triage, review the scheduled task's source and the command to be executed. Capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks. data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) diff --git a/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml b/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml index 50d0fc36bc..87713d65ec 100644 --- a/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml +++ b/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml @@ -6,11 +6,11 @@ author: Michael Haag, Splunk status: production type: TTP datamodel: [] -description: The following query utilizes Windows Security EventCode 4698, indicating 'a scheduled task was created', to identify potentially suspicious tasks. These tasks may be registered on Windows through either schtasks.exe or TaskService, and are set up to execute a command with a native Windows shell such as PowerShell, Cmd, Wscript, or Cscript. +description: The following query utilizes Windows Security EventCode 4698, indicating 'a scheduled task was created', to identify potentially suspicious tasks. These tasks may be registered on Windows through either schtasks.exe or TaskService, and are set up to execute a command with a native Windows shell such as PowerShell, Cmd, Wscript, or Cscript.\ - The search will return the initial and final times the task was registered, along with details like the 'Command' set to be executed, 'Task Name', 'Author', whether it's 'Enabled', and if it is 'Hidden'. + The search will return the initial and final times the task was registered, along with details like the 'Command' set to be executed, 'Task Name', 'Author', whether it's 'Enabled', and if it is 'Hidden'.\ - Schtasks.exe is typically found in C:\Windows\system32 and C:\Windows\syswow64. The DLL 'taskschd.dll' is loaded when either schtasks.exe or TaskService is launched. If this DLL is found loaded by another process, it's possible that a scheduled task is being registered within the context of that process in memory. + Schtasks.exe is typically found in C:\Windows\system32 and C:\Windows\syswow64. The DLL 'taskschd.dll' is loaded when either schtasks.exe or TaskService is launched. If this DLL is found loaded by another process, it's possible that a scheduled task is being registered within the context of that process in memory.\ During triage, it's essential to identify the source of the scheduled task. Was it registered via schtasks.exe or TaskService? Review the job that was created and the command set to be executed. It's also recommended to capture and review any artifacts on disk, and identify any parallel processes within the same timeframe to locate the source. data_source: diff --git a/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml b/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml index cc6215ce95..0480944461 100644 --- a/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml +++ b/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml @@ -6,12 +6,13 @@ author: Michael Haag, Splunk status: production type: TTP datamodel: [] -description: The following analytic utilizes Windows Security EventCode 4698, which indicates the creation of a scheduled task on a Windows system. The purpose of this query is to identify suspicious tasks that have been registered using either schtasks.exe or TaskService and involve executing a command from a user-writable file path. - When this analytic is triggered, it provides information such as the first and last registration time of the task, the command to be executed, the task name, author, and whether it is set as hidden or not. It is worth noting that schtasks.exe is commonly located in C:\Windows\system32 and C:\Windows\syswow64, and it loads the taskschd.dll DLL when launched. If this DLL is loaded by another process, it suggests that a scheduled task may be registered within that process's context in memory. +description: The following analytic utilizes Windows Security EventCode 4698, which indicates the creation of a scheduled task on a Windows system. The purpose of this query is to identify suspicious tasks that have been registered using either schtasks.exe or TaskService and involve executing a command from a user-writable file path.\ - During the triage process, it is essential to identify the source of the scheduled task creation, whether it was initiated through schtasks.exe or TaskService. The analyst should review the task that was created, including the command to be executed. Additionally, any artifacts on disk related to the task should be captured and analyzed. It is also recommended to identify any parallel processes that occurred within the same timeframe to determine the source of the task creation. + When this analytic is triggered, it provides information such as the first and last registration time of the task, the command to be executed, the task name, author, and whether it is set as hidden or not. It is worth noting that schtasks.exe is commonly located in C:\Windows\system32 and C:\Windows\syswow64, and it loads the taskschd.dll DLL when launched. If this DLL is loaded by another process, it suggests that a scheduled task may be registered within that process's context in memory.\ - By conducting this triage process, security analysts can gain insights into potentially malicious or suspicious scheduled tasks, helping them identify the source and assess the impact of the task. This analytic is valuable for a Security Operations Center (SOC) as it can detect unauthorized or suspicious activity that could indicate an attacker's attempt to establish persistence or execute unauthorized commands on the system. + During the triage process, it is essential to identify the source of the scheduled task creation, whether it was initiated through schtasks.exe or TaskService. The analyst should review the task that was created, including the command to be executed. Additionally, any artifacts on disk related to the task should be captured and analyzed. It is also recommended to identify any parallel processes that occurred within the same timeframe to determine the source of the task creation.\ + + By conducting this triage process, security analysts can gain insights into potentially malicious or suspicious scheduled tasks, helping them identify the source and assess the impact of the task. This analytic is valuable for a Security Operations Center (SOC) as it can detect unauthorized or suspicious activity that could indicate an attacker's attempt to establish persistence or execute unauthorized commands on the system.\ data_source: - Windows Security 4698 search: '`wineventlog_security` EventCode=4698 | xmlkv Message | search Command IN diff --git a/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml b/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml index 376c9a6d68..8a5468c220 100644 --- a/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml +++ b/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml @@ -5,13 +5,13 @@ date: '2023-04-05' author: Michael Haag, Splunk status: production type: Hunting -description: The following hunting analytic aims to identify suspicious tasks that have been registered and executed in Windows using EventID 200 (action run) and 201 (action completed) from the Windows Task Scheduler logs. This analytic helps detect evasive techniques used to register tasks on Windows systems. It is recommended to filter the results based on the ActionName field by specifying specific paths that are not commonly used in your environment. +description: The following hunting analytic aims to identify suspicious tasks that have been registered and executed in Windows using EventID 200 (action run) and 201 (action completed) from the Windows Task Scheduler logs. This analytic helps detect evasive techniques used to register tasks on Windows systems. It is recommended to filter the results based on the ActionName field by specifying specific paths that are not commonly used in your environment.\ - After implementing this analytic, it is important to review parallel events related to the scheduled tasks. EventID 106 will be generated when a new task is created, but it does not necessarily mean that the task has been executed. Analysts should capture any files on disk associated with the task and perform further analysis. + After implementing this analytic, it is important to review parallel events related to the scheduled tasks. EventID 106 will be generated when a new task is created, but it does not necessarily mean that the task has been executed. Analysts should capture any files on disk associated with the task and perform further analysis.\ - To implement this analytic, Task Scheduler logs must be collected. This can be done by adding a stanza for [WinEventLog://Microsoft-Windows-TaskScheduler/Operational] in the inputs.conf file and setting renderXml=false. It is worth noting that not translating the logs into XML may require specific extraction of items from the Message field. + To implement this analytic, Task Scheduler logs must be collected. This can be done by adding a stanza for [WinEventLog://Microsoft-Windows-TaskScheduler/Operational] in the inputs.conf file and setting renderXml=false. It is worth noting that not translating the logs into XML may require specific extraction of items from the Message field.\ - False positives are expected with this analytic, so it is important to filter the results based on the paths or specific keywords of interest in the ActionName field to reduce noise. + False positives are expected with this analytic, so it is important to filter the results based on the paths or specific keywords of interest in the ActionName field to reduce noise.\ Identifying and analyzing scheduled tasks that have been executed is crucial for a Security Operations Center (SOC) as it helps detect potentially malicious or unauthorized activities on Windows systems. By capturing and investigating the associated events, analysts can uncover signs of persistence mechanisms, unauthorized code execution, or suspicious behaviors. The impact of a true positive could range from unauthorized access to data exfiltration or the execution of malicious payloads. data_source: [] diff --git a/stories/scheduled_tasks.yml b/stories/scheduled_tasks.yml index 14ea13afb6..81189d0f29 100644 --- a/stories/scheduled_tasks.yml +++ b/stories/scheduled_tasks.yml @@ -4,20 +4,22 @@ version: 1 date: '2023-06-12' author: Michael Haag, Splunk description: The MITRE ATT&CK technique T1053 refers to Scheduled Task/Job. Adversaries might use task scheduling utilities to execute programs or scripts at a predefined date and time. This method is often used for persistence but can also be used for privilege escalation or to execute tasks under certain conditions. Scheduling tasks can be beneficial for an attacker as it can allow them to execute actions at times when the system is less likely to be monitored actively. Different operating systems have different utilities for task scheduling, for example, Unix-like systems have Cron, while Windows has Scheduled Tasks and At Jobs. -narrative: MITRE ATT&CK technique T1053, labeled "Scheduled Task/Job", is a categorization of methods that adversaries use to execute malicious code by scheduling tasks or jobs on a system. This technique is widely utilized for persistence, privilege escalation, and the remote execution of tasks. The technique is applicable across various environments and platforms, including Windows, Linux, and macOS. - The technique consists of multiple sub-techniques, each highlighting a distinct mechanism for scheduling tasks or jobs. These sub-techniques include T1053.001 (Scheduled Task), T1053.002 (At for Windows), T1053.003 (Cron), T1053.004 (Launchd), T1053.005 (At for Linux), and T1053.006 (Systemd Timers). - Scheduled Task (T1053.001) focuses on adversaries' methods for scheduling tasks on a Windows system to maintain persistence or escalate privileges. These tasks can be set to execute at specified times, in response to particular events, or after a defined time interval. +narrative: MITRE ATT&CK technique T1053, labeled "Scheduled Task/Job", is a categorization of methods that adversaries use to execute malicious code by scheduling tasks or jobs on a system. This technique is widely utilized for persistence, privilege escalation, and the remote execution of tasks. The technique is applicable across various environments and platforms, including Windows, Linux, and macOS.\ - The At command for Windows (T1053.002) enables administrators to schedule tasks on a Windows system. Adversaries may exploit this command to execute programs at system startup or at a predetermined schedule for persistence. + The technique consists of multiple sub-techniques, each highlighting a distinct mechanism for scheduling tasks or jobs. These sub-techniques include T1053.001 (Scheduled Task), T1053.002 (At for Windows), T1053.003 (Cron), T1053.004 (Launchd), T1053.005 (At for Linux), and T1053.006 (Systemd Timers).\ - Cron (T1053.003) is a built-in job scheduler found in Unix-like operating systems. Adversaries can use cron jobs to execute programs at system startup or on a scheduled basis for persistence. + Scheduled Task (T1053.001) focuses on adversaries' methods for scheduling tasks on a Windows system to maintain persistence or escalate privileges. These tasks can be set to execute at specified times, in response to particular events, or after a defined time interval.\ - Launchd (T1053.004) is a service management framework present in macOS. Adversaries may utilize launchd to maintain persistence on macOS systems by setting up daemons or agents to execute at specific times or in response to defined events. + The At command for Windows (T1053.002) enables administrators to schedule tasks on a Windows system. Adversaries may exploit this command to execute programs at system startup or at a predetermined schedule for persistence.\ - The At command for Linux (T1053.005) enables administrators to schedule tasks on a Linux system. Adversaries can use this command to execute programs at system startup or on a scheduled basis for persistence. + Cron (T1053.003) is a built-in job scheduler found in Unix-like operating systems. Adversaries can use cron jobs to execute programs at system startup or on a scheduled basis for persistence.\ - Systemd Timers (T1053.006) offer a means of scheduling tasks on Linux systems using systemd. Adversaries can use systemd timers to execute programs at system startup or on a scheduled basis for persistence. + Launchd (T1053.004) is a service management framework present in macOS. Adversaries may utilize launchd to maintain persistence on macOS systems by setting up daemons or agents to execute at specific times or in response to defined events.\ + + The At command for Linux (T1053.005) enables administrators to schedule tasks on a Linux system. Adversaries can use this command to execute programs at system startup or on a scheduled basis for persistence.\ + + Systemd Timers (T1053.006) offer a means of scheduling tasks on Linux systems using systemd. Adversaries can use systemd timers to execute programs at system startup or on a scheduled basis for persistence.\ Detection and mitigation strategies vary for each sub-technique. For instance, monitoring the creation of scheduled tasks or looking for uncorrelated changes to tasks that do not align with known software or patch cycles can be effective for detecting malicious activity related to this technique. Mitigation strategies may involve restricting permissions and applying application control solutions to prevent adversaries from scheduling tasks. references: From bda642ca2e292b6eca964fa30c42a69448fd229c Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Thu, 22 Jun 2023 16:16:50 -0700 Subject: [PATCH 5/6] fixes to yaml --- ...ossible_append_command_to_at_allow_config_file.yml | 11 +++-------- ...ossible_append_command_to_at_allow_config_file.yml | 4 ++-- 2 files changed, 5 insertions(+), 10 deletions(-) diff --git a/detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml b/detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml index 904427582a..2e3a0368bd 100644 --- a/detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml +++ b/detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml @@ -5,14 +5,9 @@ date: '2022-05-26' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic looks for suspicious commandline that may use to append - user entry to /etc/at.allow or /etc/at.deny. These 2 files are commonly abused by - malware, adversaries or red teamers to persist on the targeted or compromised host. - These config file can restrict user that can only execute at application (another - schedule task application in linux). attacker can create a user or add the compromised - username to that config file to execute at to schedule it malicious code. This anomaly - detection can be a good indicator to investigate further the entry in created config - file and who created it to verify if it is a false positive. +description: The following analytic is designed to identify suspicious command lines that may append user entries to either /etc/at.allow or /etc/at.deny. These files can be exploited by malicious actors for persistence on a compromised Linux host by altering permissions for scheduled tasks using the at command.\ + + In this context, an attacker can create a user or add an existing user to these configuration files to execute their malicious code through scheduled tasks. The detection of such anomalous behavior can serve as an effective indicator warranting further investigation to validate if the activity is indeed malicious or a false positive. data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes diff --git a/dev/endpoint/linux_possible_append_command_to_at_allow_config_file.yml b/dev/endpoint/linux_possible_append_command_to_at_allow_config_file.yml index 694b56c795..5e8a9221dc 100644 --- a/dev/endpoint/linux_possible_append_command_to_at_allow_config_file.yml +++ b/dev/endpoint/linux_possible_append_command_to_at_allow_config_file.yml @@ -1,11 +1,11 @@ -name: Linux Possible Append Command To At Allow Config File +name: Linux Possible Append Command To At Allow Config Filedasdasdasdasdasdasdasdasdasdasdasdaadsadasdasdasdasd id: 7bc20606-5f40-11ec-a586-acde48001122 version: 2 date: '2022-05-26' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic is designed to identify suspicious command lines that may append user entries to either /etc/at.allow or /etc/at.deny. These files can be exploited by malicious actors for persistence on a compromised Linux host by altering permissions for scheduled tasks using the at command. +description: The following analytic is designed to identify suspicious command lines that may append user entries to either /etc/at.allow or /etc/at.deny. These files can be exploited by malicious actors for persistence on a compromised Linux host by altering permissions for scheduled tasks using the at command.\ In this context, an attacker can create a user or add an existing user to these configuration files to execute their malicious code through scheduled tasks. The detection of such anomalous behavior can serve as an effective indicator warranting further investigation to validate if the activity is indeed malicious or a false positive. data_source: From 883f84b44506e248f283ea22145bd036a52f6487 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Thu, 22 Jun 2023 16:21:49 -0700 Subject: [PATCH 6/6] Update linux_possible_append_command_to_at_allow_config_file.yml --- .../linux_possible_append_command_to_at_allow_config_file.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dev/endpoint/linux_possible_append_command_to_at_allow_config_file.yml b/dev/endpoint/linux_possible_append_command_to_at_allow_config_file.yml index 5e8a9221dc..a765ec9685 100644 --- a/dev/endpoint/linux_possible_append_command_to_at_allow_config_file.yml +++ b/dev/endpoint/linux_possible_append_command_to_at_allow_config_file.yml @@ -1,4 +1,4 @@ -name: Linux Possible Append Command To At Allow Config Filedasdasdasdasdasdasdasdasdasdasdasdaadsadasdasdasdasd +name: Linux Possible Append Command To At Allow Config File id: 7bc20606-5f40-11ec-a586-acde48001122 version: 2 date: '2022-05-26'