Detecting Suspicious Scheduled Task Abuse

Posted on: Last updated on: Written by:

Detecting Suspicious Scheduled Task Abuse: A Realistic Threat Hunting Investigation

Why This Activity Stood Out

On March 15, our Security Operations Center (SOC) detected multiple suspicious scheduled task creations involving rundll32.exe. These findings were initially flagged by a Sigma rule targeting unusual rundll32 activity. Given that this technique is closely aligned with T1053 in MITRE ATT&CK, we decided to dig deeper.

Initial Hunt Logic

Available Telemetry

  • 4698 Scheduled Task Events: These events capture task creation and modification activities.
  • Task Scheduler Operational Logs: Additional context on scheduled tasks.
  • Sysmon: Detailed process monitoring logs.
  • Process Creation Events: Further insight into the parent-child relationships.

Hypothesis

Attackers may be using rundll32.exe to run arbitrary code or inject malicious pay-loads, establishing persistence within our environment. This aligns with T1053 in MITRE ATT&CK, which describes the abuse of scheduled tasks for maintaining long-term access.

Reviewing Process Lineage

KQL Hunting Reference

DeviceProcessEvents 
| where FileName =~ "rundll32.exe"
| project Timestamp, DeviceName, InitiatingProcessCommandLine

This query identified several instances of rundll32 execution, but it didn’t provide much context. We needed to dig deeper by looking at the parent processes.

SPL Hunting Reference

index=sysmon EventCode=1 CommandLine="*-enc*"
| stats count by Computer, CommandLine

The Splunk query highlighted some suspicious command lines involving rundll32 and obfuscated execution. However, it returned a lot of noise, making it hard to filter out the relevant activity.

Expanding the Investigation

Investigating Specific Instances

  1. Timestamp: March 15, 08:47:39

    • Device Name: WIN-XXXXXX
    • Initiating Process CommandLine: explorer.exe
    • CommandLine: rundll32.exe %SystemRoot%\system32\inetsrv\metahttpd.dll,ProcessRequest

  2. Timestamp: March 15, 09:07:24

    • Device Name: WIN-YYYYYY
    • Initiating Process CommandLine: explorer.exe
    • CommandLine: rundll32.exe %SystemRoot%\system32\inetsrv\metahost.dll,ProcessRequest

Analyzing the CommandLine

The command lines in question are suspicious because they reference built-in Windows components (metahttpd and metahost) that aren’t typically invoked via rundll32. This suggests an attempt to hide or obfuscate malicious activity.

Detection Opportunities

  1. Sigma Rule:

    title: Suspicious Rundll32 Usage
logsource:
  category: process_creation
detection:
  selection:
    Image|endswith: 'rundll32.exe'
  condition: selection
level: medium

    This rule is effective for detecting unexpected rundll32 activity. However, it can also generate false positives when benign processes execute rundll32 with standard parameters.

  2. KQL Rule:

    DeviceProcessEvents 
| where FileName =~ "rundll32.exe"
| project Timestamp, DeviceName, InitiatingProcessCommandLine

    This query is useful for identifying instances of rundll32 execution but lacks context and can be noisy.

Analyst Notes

False Positives

  • Benign Processes: Some legitimate processes may execute rundll32.exe with common parameters. For example, Windows Explorer or other system components.
  • Scripting Languages: Rundll32 is often used to run scripts from within the Windows shell.

Operational Challenges

  • Noise in Logs: The large volume of scheduled task events and process creation logs can make it challenging to filter out irrelevant activity.
  • Hidden Execution: Attackers may use obfuscation techniques to hide malicious code execution, making detection difficult.

Telemetry Gaps

  1. Lack of Context: Sysmon captures the command line but does not provide context on the task scheduler events.
  2. Limited Visibility: The Task Scheduler Operational Logs are less detailed and can be slow to generate reports.

Interesting Findings

  • Domain Mapping: Some of the outbound connections from these devices were to rare, non-standard domains. This further hinted at potential C2 communication.
  • Parent Process Analysis: Several instances showed explorer.exe as the initiating process, which is suspicious given its normal behavior within a user context.

MITRE ATT&CK Mapping

T1053 – Scheduled Task/Job

  • Technique: The use of scheduled tasks to run malicious code or maintain persistence.
  • Tactic: Persistence (T1053 directly maps to this technique).

Additional Context

  • Persistence Mechanism: Attackers may leverage legitimate administrative tools to maintain long-term access without raising alarms.
  • Execution Environment: By using rundll32, attackers can hide their activity within normal system processes.

Analyst Mistakes

  1. Overreliance on Sigma Rules: While these rules are valuable, they should be used in conjunction with context and additional queries.
  2. Ignoring Benign Behaviors: Failing to distinguish between expected and suspicious behavior based on the process lineage can lead to false positives or negatives.

Practical Detection Recommendations

  1. Enhanced Process Lineage Analysis:

    • Integrate third-party tools like CrowdStrike Falcon for enhanced process analysis.

  2. Custom Sigma Rules:

    • Develop rules that filter out benign rundll32 activities and focus on suspicious command lines. 
      title: Suspicious Rundll32 with Obfuscated Parameters
logsource:
  category: process_creation
detection:
  selection:
    CommandLine: "contains('metahttpd.dll') or contains('metahost.dll')"
    Image|endswith: 'rundll32.exe'
condition: selection
level: high

  3. Regularly Review Task Scheduler Events:

    • Automate the review of new task creations and modifications.

  4. SIEM Rule Improvements:

    • Use KQL to filter out known good activities and focus on suspicious command lines.

Telemetry Improvement Ideas

  1. Enhanced Sysmon Configuration:
    • Include more detailed event data, such as network activity, in Sysmon logs.
  2. Integrate with Third-Party Tools:
    • Use tools like Threat Hunter for real-time analysis and detection.
  3. Regular Log Analysis Workflows:
    • Develop a workflow that regularly reviews task scheduler events and process creation logs.

Operational Observations

  1. Resource Intensive Queries: The initial queries were resource-intensive, leading to delays in results. Optimization is necessary.
  2. User Training: Increase user awareness on suspicious behaviors, such as unexpected rundll32 usage.

Conclusion

The investigation into suspicious scheduled task abuse involving rundll32.exe was challenging but ultimately led to the detection of potential malicious activity. The use of a combination of Sigma rules, KQL queries, and enhanced process lineage analysis helped in identifying and understanding the threat landscape.

hashtags: #threathunting #scheduledtaskabuse #mitreattck #suspiciousrundll32 #windowssecurity #cybersecurityinvestigation

#ThreatHunting #CyberSecurity #BlueTeam #SOC #DetectionEngineering #MITREATTACK #Persistence #Windows #ScheduledTaskAbuse