Update "Short Lived Scheduled Task"#4152
Conversation
| | xmlkv object_attrs | ||
| | transaction TaskName dest startswith=(EventCode=4698) endswith=(EventCode=4699) maxspan=30s | ||
| | stats count, min(_time) AS firstTime, max(_time) AS lastTime by Command, TaskName, user, dest | ||
| | `security_content_ctime(firstTime)` | ||
| | `security_content_ctime(lastTime)` | ||
| | `short_lived_scheduled_task_filter` |
There was a problem hiding this comment.
The rule was written against the raw event not the XML one. So please re-generate the attack_data so that it contains the XML version of the logs.
There was a problem hiding this comment.
The rule was written against the raw event not the XML one. So please re-generate the attack_data so that it contains the XML version of the logs.
I see that specific attack_data file contains a lot more events (not just 4698 and 4699) right now.
Would it be sufficient to replace them with one 4698 and another 4699, which would produce a result of this detection?
I don't have an attack range environment to fully simulate and capture a snapshot of the whole activity.
There was a problem hiding this comment.
Yeah the attack is polluted with other events because the OG author exported all from their lab. But we only need the 4698 / 4699 portions.
We have to re-generate the attack before merging just to keep the logic and test data consistent. Since the OG search used fields based on that.
I will get to this PR by the next release and I will try and get the data if its not provided by then.
There was a problem hiding this comment.
I can offer this for 4698:
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4698</EventID><Version>1</Version><Level>0</Level><Task>12804</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2026-06-30T08:17:42.9928292Z'/><EventRecordID>95483097</EventRecordID><Correlation ActivityID='{f7200ea3-f7f4-4f15-a159-d8514faf98cc}'/><Execution ProcessID='1212' ThreadID='8460'/><Channel>Security</Channel><Computer>win-host-987.attackrange.local</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data Name='SubjectUserName'>Administrator</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x9ab408a</Data><Data Name='TaskName'>\evilTask</Data><Data Name='TaskContent'><?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Author>ATTACKRANGE\Administrator</Author>
<URI>\evilTask</URI>
</RegistrationInfo>
<Triggers>
<RegistrationTrigger>
<Enabled>true</Enabled>
</RegistrationTrigger>
</Triggers>
<Principals>
<Principal id="Author">
<GroupId>Builtin\Users</GroupId>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>C:\metE.exe</Command>
</Exec>
</Actions>
</Task></Data><Data Name='ClientProcessStartKey'>158470411888107188</Data><Data Name='ClientProcessId'>14944</Data><Data Name='ParentProcessId'>19844</Data><Data Name='RpcCallClientLocality'>0</Data><Data Name='FQDN'>win-host-987.attackrange.local</Data></EventData></Event>and for 4699:
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4699</EventID><Version>1</Version><Level>0</Level><Task>12804</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2026-06-30T08:17:42.9828414Z'/><EventRecordID>95483095</EventRecordID><Correlation ActivityID='{20c46fa1-5a43-4317-bd35-a47e8051d3f1}'/><Execution ProcessID='1212' ThreadID='8460'/><Channel>Security</Channel><Computer>win-host-987.attackrange.local</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data Name='SubjectUserName'>Administrator</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x9ab408a</Data><Data Name='TaskName'>\evilTask</Data><Data Name='TaskContent'></Data><Data Name='ClientProcessStartKey'>158470411888107188</Data><Data Name='ClientProcessId'>14944</Data><Data Name='ParentProcessId'>19844</Data><Data Name='RpcCallClientLocality'>0</Data><Data Name='FQDN'>win-host-987.attackrange.local</Data></EventData></Event>It's scrubbed data from a dev system.
There was a problem hiding this comment.
Cheers. I will take care of it and upload the necessary data
I believe this detection was built on non-XML Windows Events. As such it does not work in modern environments.
Messagefield from| xmlkv Messagedoesn't really exist in XML events, nor does theTask_Nameform thetransactioncommand. I think would be better to look atobject_attrsand fetch theCommandfield- an analyst would be greatful, I believe.transactioncommand should be updated to "group" also bydest, not justTaskName.maxspan=30sshould be sufficient to replace theevaland thesearchevaluation section.