Outbound Scheduled Task Activity via PowerShell

About

Tags

Domain: EndpointOS: WindowsUse Case: Threat DetectionTactic: ExecutionData Source: Elastic DefendData Source: SysmonLanguage: eql

Severity

medium

Risk Score

47

MITRE ATT&CK™

Execution (TA0002)(opens in a new tab or window)

↳ Scheduled Task/Job (T1053)(opens in a new tab or window)

↳ Command and Scripting Interpreter (T1059)(opens in a new tab or window)

False Positive Examples

Legitimate scheduled tasks may be created during installation of new software.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type

Event Correlation Rule

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

winlogbeat-*logs-endpoint.events.library-*logs-endpoint.events.network-*logs-windows.sysmon_operational-*

Related Integrations

endpoint(opens in a new tab or window)

windows(opens in a new tab or window)

Query

sequence by host.id, process.entity_id with maxspan = 5s
 [any where host.os.type == "windows" and (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and
  (?dll.name : "taskschd.dll" or file.name : "taskschd.dll") and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe")]
 [network where host.os.type == "windows" and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and destination.port == 135 and not destination.address in ("127.0.0.1", "::1")]