Unusual Scheduled Task Update

Identifies first-time modifications to scheduled tasks by user accounts, excluding system activity and machine accounts.

Rule type: new_terms
Rule indices:

• logs-system.security*
• logs-windows.forwarded*
• winlogbeat-*

Rule Severity: low
Risk Score: 21
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: ?
References:

• https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698

Tags:

• Domain: Endpoint
• OS: Windows
• Use Case: Threat Detection
• Tactic: Persistence
• Data Source: Windows Security Event Logs

Version: ?
Rule authors:

• Elastic

Rule license: Elastic License v2

event.category: "iam" and event.code: "4702" and
  not winlog.event_data.SubjectUserSid: ("S-1-5-18" or "S-1-5-19" or "S-1-5-20") and
  not user.name : *$

Framework: MITRE ATT&CK

• Tactic:

  • Name: Persistence
  • Id: TA0003
  • Reference URL: https://attack.mitre.org/tactics/TA0003/

• Technique:

  • Name: Scheduled Task/Job
  • Id: T1053
  • Reference URL: https://attack.mitre.org/techniques/T1053/

• Sub Technique:

  • Name: Scheduled Task
  • Id: T1053.005
  • Reference URL: https://attack.mitre.org/techniques/T1053/005/