heroui logo

Schedule Task with Rundll32 Command Trigger

Splunk Security Content

View Source
Summary
This detection rule identifies the creation of scheduled tasks in Windows where the command used is 'rundll32'. It utilizes Windows Security Event Code 4698, which records the creation of scheduled tasks. The rule specifically filters for instances where 'rundll32' is present in the command line, an indication of potential malicious activity often associated with malware such as TrickBot. Given that malware commonly exploits scheduled tasks to maintain persistence or launch additional payloads, monitoring for this type of activity is crucial. If the use of 'rundll32' in scheduled tasks is confirmed malicious, there is a risk of data breaches, deployment of ransomware, or other detrimental activities. Therefore, it is critical to conduct prompt investigations and remediation steps to prevent further compromises.
Categories
  • Endpoint
  • Windows
Data Sources
  • Windows Registry
  • Windows Registry
  • Scheduled Job
  • Windows Registry
ATT&CK Techniques
  • T1053
Created: 2024-12-10