← Library
splApache-2.0from splunk/security_content

Schedule Task with Rundll32 Command Trigger

The following analytic detects the creation of scheduled tasks in Windows that use the rundll32 command. It leverages Windows Security EventCode 4698, which logs the creation of scheduled tasks, and filters for tasks executed via rundll32. This activity is significant as it is a common technique used by malware, such as TrickBot, to persist in an environment or deliver additional payloads. If confirmed malicious, this could lead to data theft, ransomware deployment, or other damaging outcomes. Immediate investigation and mitigation are crucial to prevent further compromise.

Quality
67
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/schedule_task_with_rundll32_command_trigger.yml
`wineventlog_security` EventCode=4698
  | xmlkv Message
  | search Command IN ("*rundll32*")
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY dest, Task_Name, Command,
       Author, Enabled, Hidden,
       Arguments
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `schedule_task_with_rundll32_command_trigger_filter`