splApache-2.0from splunk/security_content
Short Lived Scheduled Task
The following analytic detects the creation and deletion of scheduled tasks within a short time frame (less than 30 seconds) using Windows Security EventCodes 4698 and 4699. This behavior is identified by analyzing Windows Security Event Logs and leveraging the Windows TA for parsing. Such activity is significant as it may indicate lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or execution of malicious payloads, necessitating prompt investigation and response by security analysts.
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/short_lived_scheduled_task.yml
`wineventlog_security` EventCode=4698 OR EventCode=4699
| xmlkv Message
| transaction Task_Name startswith=(EventCode=4698) endswith=(EventCode=4699)
| eval short_lived=case((duration<30),"TRUE")
| search short_lived = TRUE
| rename ComputerName as dest
| table _time, dest, Account_Name, Command, Task_Name, short_lived
| `short_lived_scheduled_task_filter`