Hunting for Scheduled Task Abuse Abuse

Posted on: Last updated on: Written by:

Hunting for Scheduled Task Abuse: A Realistic Threat Investigation

Why This Activity Stood Out

During our routine SOC monitoring, we spotted some odd telemetry patterns related to scheduled tasks. The activity seemed suspicious because it involved the creation of unusual tasks and the execution of rundll32.exe with unexpected command-line arguments. Given the stealthy nature of advanced adversaries like FIN7, this caught our attention and was deemed critical.

Initial Hunt Logic

Our first hypothesis centered on these activities:

  • Unusual creation of scheduled tasks
  • Execution of suspicious binaries or scripts via rundll32.exe
  • Outbound connections to rare or unusual domains

We focused on 4698 events, which track the creation of scheduled tasks. We also combined this with process creation logs and Sysmon data to trace any anomalies in the process lineage that might indicate malicious intent.

Reviewing Process Lineage

To start, we used KQL (Kusto Query Language) to gather relevant data from DeviceProcessEvents:

DeviceProcessEvents
| where FileName =~ "rundll32.exe"
| project Timestamp, DeviceName, InitiatingProcessCommandLine

This query helped us identify processes that invoked rundll32.exe, a common method for executing code in Windows. We noticed several instances of unusual command-line arguments being used.

Analyst Uncertainty

One challenge was distinguishing between legitimate administrative tasks and malicious ones. For example, we saw some rundll32.exe invocations that seemed to be part of routine IT operations, such as scheduled backups or maintenance scripts. To address this, we needed to establish a baseline of normal activity for our environment.

Expanding the Investigation

To validate our findings, we expanded the investigation by correlating these events with 4698 scheduled task creation events:

DeviceProcessEvents
| where FileName =~ "rundll32.exe"
| join kind=inner (DeviceSecurityEvents | where EventID == 4698) on DeviceName, Timestamp

This query helped us identify if any of the suspicious rundll32.exe executions were associated with scheduled task creation. We found a few instances where rundll32.exe was invoked shortly after a new scheduled task was created.

Process Lineage Analysis

To understand the full context, we traced the process lineage for these events:

DeviceProcessEvents
| where CommandLine has_any "rundll32" and DeviceName in (list_of_devices)
| extend ParentProcessID = ParentProcessId
| join kind=inner (
  DeviceProcesses
  | where DeviceName in (list_of_devices)
) on ProcessId

This allowed us to map out the parent-child relationships between processes, identifying any unusual activity that might indicate malicious intent. For example, we noticed some rundll32.exe invocations were initiated by seemingly benign processes but had unexpected command-line arguments.

Detection Opportunities

Based on our findings, we developed a Sigma rule for detecting suspicious use of rundll32.exe:

title: Suspicious Rundll32 Usage
logsource:
  category: process_creation

detection:
  selection:
    Image|endswith: 'rundll32.exe'
    CommandLine has_any "malicious_pattern"

condition: selection

level: medium

This Sigma rule filters for rundll32.exe executions with command-line arguments that match known malicious patterns. We also extended the detection by correlating these events with 4698 scheduled task creation events.

Analyst Notes

  1. False Positives: Legitimate administrative tasks, such as running backup scripts, can trigger false positives. To minimize this risk, we need to establish a baseline of normal activity and set up context-based alerts.
  2. Telemetry Blind Spots: Some processes might execute rundll32.exe without triggering the DeviceProcessEvents. For example, if a scheduled task is created but not executed until later via another method, this might go undetected by our current telemetry setup.

Operational Challenges

  1. Resource Constraints: Monitoring and analyzing all process creation events can be resource-intensive. We need to ensure that our detection mechanisms are optimized for performance.
  2. User Education: Educating users about the importance of monitoring scheduled tasks can help them avoid accidental misuse or compromise.

Telemetry Gaps

The current telemetry setup might not capture all instances of rundll32.exe usage, especially if it is executed via other methods such as PowerShell scripts or custom executables. We need to consider adding additional telemetry sources, such as PowerShell logs or other execution methods used by threat actors.

Interesting Findings

We identified a few suspicious scheduled tasks that were created shortly after rundll32.exe executions. These findings are still under investigation and require further validation through network traffic analysis.

Practical Hunting Methodology

  1. Baseline Establishment: Continuously monitor and establish a baseline of normal activity to better detect anomalies.
  2. Correlation Analysis: Correlate events from different sources (e.g., 4698 events with DeviceProcessEvents) to gain context.
  3. Contextual Alerts: Use contextual information to minimize false positives.

MITRE ATT&CK Mapping

The threat activity we observed aligns with the following MITRE ATT&CK techniques and tactics:

  • T1053 – Scheduled Task/Job: Threat actors might use scheduled tasks for persistence.
  • Persistence: Establishing long-term access through scheduled tasks is a common tactic.

Practical Detection Recommendations

  1. Enhance Baseline Monitoring: Continuously monitor normal process behavior to quickly identify deviations.
  2. Extend Telemetry Coverage: Consider adding additional telemetry sources, such as PowerShell scripts or custom executables.
  3. Advanced Correlation Techniques: Implement advanced correlation techniques to detect anomalies in the context of scheduled task creation and execution.

Telemetry Improvement Ideas

  1. Enhance Process Creation Logging: Ensure that all process creations are logged, including those initiated by rundll32.exe.
  2. Custom Alerts: Set up custom alerts for unusual combinations of events (e.g., 4698 followed by DeviceProcessEvents with suspicious command-line arguments).

Hashtags Relevant to the Hunt Topic

ThreatHunting #WindowsSecurity #ScheduledTaskAbuse #PersistenceTech #MITREATT&CKT1053 #Rundll32Execution #SIEMDetection #TelemetryImprovement

This investigation provides a detailed look into how we approached detecting and analyzing scheduled task abuse, highlighting the importance of thorough process lineage analysis and contextual correlation. The findings from this hunt will inform our ongoing efforts to enhance detection capabilities and mitigate potential threats.

#ThreatHunting #CyberSecurity #BlueTeam #SOC #DetectionEngineering #MITREATTACK #Persistence #Windows #ScheduledTaskAbuse