Scheduled Task Creation or Update from User Writable Directory
| Id | 0b827a49-427e-4721-b05e-b151a8af524e |
| Rulename | Scheduled Task Creation or Update from User Writable Directory |
| Description | This query triggers when a scheduled task is created or updated and it is going to run programs from writable user paths. Ref: https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html |
| Tactics | Execution |
| Techniques | T1053.005 |
| Required data connectors | SecurityEvents |
| Kind | Scheduled |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint Threat Protection Essentials/Hunting Queries/ScheduledTaskCreationUpdateFromUserWritableDrectory.yaml |
| Version | 1.0.0 |
| Arm template | 0b827a49-427e-4721-b05e-b151a8af524e.json |
// Enter a reference list for writable user paths"
let WritableUserPaths = dynamic (["\"C:\\Users\\","\"C:\\ProgramData\\"]);
SecurityEvent
| where EventID in (4698,4702) and EventData has_any (WritableUserPaths)
| parse EventData with * 'Command>' Command "<" *
| parse EventData with * 'Arguments>' Arguments "<" *
| where Command has_any (WritableUserPaths) or Arguments has_any (WritableUserPaths)
| parse EventData with * 'SubjectUserName">' SubjectUserName "<" * 'SubjectDomainName">' SubjectDomainName "<" * 'TaskName">' TaskName "<" *
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Activity, Computer, SubjectUserName, SubjectDomainName, TaskName, Command, Arguments
name: Scheduled Task Creation or Update from User Writable Directory
requiredDataConnectors:
- dataTypes:
- SecurityEvent
connectorId: SecurityEvents
kind: Scheduled
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: SubjectUserName
entityType: Account
- fieldMappings:
- identifier: FullName
columnName: Computer
entityType: Host
- fieldMappings:
- identifier: CommandLine
columnName: CommandLine
entityType: Process
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint Threat Protection Essentials/Hunting Queries/ScheduledTaskCreationUpdateFromUserWritableDrectory.yaml
description: |
'This query triggers when a scheduled task is created or updated and it is going to run programs from writable user paths.
Ref: https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html'
tactics:
- Execution
id: 0b827a49-427e-4721-b05e-b151a8af524e
version: 1.0.0
relevantTechniques:
- T1053.005
query: |
// Enter a reference list for writable user paths"
let WritableUserPaths = dynamic (["\"C:\\Users\\","\"C:\\ProgramData\\"]);
SecurityEvent
| where EventID in (4698,4702) and EventData has_any (WritableUserPaths)
| parse EventData with * 'Command>' Command "<" *
| parse EventData with * 'Arguments>' Arguments "<" *
| where Command has_any (WritableUserPaths) or Arguments has_any (WritableUserPaths)
| parse EventData with * 'SubjectUserName">' SubjectUserName "<" * 'SubjectDomainName">' SubjectDomainName "<" * 'TaskName">' TaskName "<" *
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Activity, Computer, SubjectUserName, SubjectDomainName, TaskName, Command, Arguments
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0b827a49-427e-4721-b05e-b151a8af524e')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0b827a49-427e-4721-b05e-b151a8af524e')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "Scheduled Task Creation or Update from User Writable Directory",
"description": "'This query triggers when a scheduled task is created or updated and it is going to run programs from writable user paths.\nRef: https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html'\n",
"enabled": true,
"query": "// Enter a reference list for writable user paths\"\nlet WritableUserPaths = dynamic ([\"\\\"C:\\\\Users\\\\\",\"\\\"C:\\\\ProgramData\\\\\"]);\nSecurityEvent\n| where EventID in (4698,4702) and EventData has_any (WritableUserPaths)\n| parse EventData with * 'Command>' Command \"<\" *\n| parse EventData with * 'Arguments>' Arguments \"<\" *\n| where Command has_any (WritableUserPaths) or Arguments has_any (WritableUserPaths)\n| parse EventData with * 'SubjectUserName\">' SubjectUserName \"<\" * 'SubjectDomainName\">' SubjectDomainName \"<\" * 'TaskName\">' TaskName \"<\" *\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Activity, Computer, SubjectUserName, SubjectDomainName, TaskName, Command, Arguments\n",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Execution"
],
"techniques": [
"T1053.005"
],
"alertRuleTemplateName": "0b827a49-427e-4721-b05e-b151a8af524e",
"customDetails": null,
"entityMappings": [
{
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "SubjectUserName"
}
],
"entityType": "Account"
},
{
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "Computer"
}
],
"entityType": "Host"
},
{
"fieldMappings": [
{
"identifier": "CommandLine",
"columnName": "CommandLine"
}
],
"entityType": "Process"
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint Threat Protection Essentials/Hunting Queries/ScheduledTaskCreationUpdateFromUserWritableDrectory.yaml",
"templateVersion": "1.0.0"
}
}
]
}