
Summary
This detection rule aims to identify the creation of suspicious Windows scheduled tasks that utilize native shells (such as PowerShell, Cmd, Wscript, or Cscript) to execute commands. This is significant as it can point to potential malicious activities aimed at creating persistence on a system or executing harmful commands. The rule leverages Windows Security Event Codes 4698 (task creation), 4700 (task enablement), and 4702 (task modification) to track these actions. When such tasks are registered, enabled, or modified, they are monitored for unusual command patterns, particularly those originating from public folders (Users, Temp, ProgramData) which are commonly targeted by attackers. By correlating these events with known suspicious task commands, the rule helps in flagging potential threats that could lead to privilege escalation or unauthorized access to the system. This rule necessitates the ingestion of relevant Windows Security Event Logs for proper functioning.
Categories
- Endpoint
Data Sources
- Windows Registry
- Windows Registry
- Windows Registry
ATT&CK Techniques
- T1053
- T1053.005
Created: 2025-02-07