Skip to content

Update "Short Lived Scheduled Task"#4152

Open
AndreiBanaru wants to merge 1 commit into
splunk:developfrom
AndreiBanaru:update-sch-task
Open

Update "Short Lived Scheduled Task"#4152
AndreiBanaru wants to merge 1 commit into
splunk:developfrom
AndreiBanaru:update-sch-task

Conversation

@AndreiBanaru

Copy link
Copy Markdown
Contributor

I believe this detection was built on non-XML Windows Events. As such it does not work in modern environments.

  • The Message field from | xmlkv Message doesn't really exist in XML events, nor does the Task_Name form the transaction command. I think would be better to look at object_attrs and fetch the Command field- an analyst would be greatful, I believe.
  • The transaction command should be updated to "group" also by dest, not just TaskName.
  • maxspan=30s should be sufficient to replace the eval and the search evaluation section.

Comment on lines +15 to +20
| xmlkv object_attrs
| transaction TaskName dest startswith=(EventCode=4698) endswith=(EventCode=4699) maxspan=30s
| stats count, min(_time) AS firstTime, max(_time) AS lastTime by Command, TaskName, user, dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `short_lived_scheduled_task_filter`

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The rule was written against the raw event not the XML one. So please re-generate the attack_data so that it contains the XML version of the logs.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The rule was written against the raw event not the XML one. So please re-generate the attack_data so that it contains the XML version of the logs.

I see that specific attack_data file contains a lot more events (not just 4698 and 4699) right now.
Would it be sufficient to replace them with one 4698 and another 4699, which would produce a result of this detection?

I don't have an attack range environment to fully simulate and capture a snapshot of the whole activity.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah the attack is polluted with other events because the OG author exported all from their lab. But we only need the 4698 / 4699 portions.

We have to re-generate the attack before merging just to keep the logic and test data consistent. Since the OG search used fields based on that.

I will get to this PR by the next release and I will try and get the data if its not provided by then.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can offer this for 4698:

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4698</EventID><Version>1</Version><Level>0</Level><Task>12804</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2026-06-30T08:17:42.9928292Z'/><EventRecordID>95483097</EventRecordID><Correlation ActivityID='{f7200ea3-f7f4-4f15-a159-d8514faf98cc}'/><Execution ProcessID='1212' ThreadID='8460'/><Channel>Security</Channel><Computer>win-host-987.attackrange.local</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data Name='SubjectUserName'>Administrator</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x9ab408a</Data><Data Name='TaskName'>\evilTask</Data><Data Name='TaskContent'>&lt;?xml version="1.0" encoding="UTF-16"?&gt;
&lt;Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"&gt;
  &lt;RegistrationInfo&gt;
    &lt;Author&gt;ATTACKRANGE\Administrator&lt;/Author&gt;
    &lt;URI&gt;\evilTask&lt;/URI&gt;
  &lt;/RegistrationInfo&gt;
  &lt;Triggers&gt;
    &lt;RegistrationTrigger&gt;
      &lt;Enabled&gt;true&lt;/Enabled&gt;
    &lt;/RegistrationTrigger&gt;
  &lt;/Triggers&gt;
  &lt;Principals&gt;
    &lt;Principal id="Author"&gt;
      &lt;GroupId&gt;Builtin\Users&lt;/GroupId&gt;
      &lt;RunLevel&gt;LeastPrivilege&lt;/RunLevel&gt;
    &lt;/Principal&gt;
  &lt;/Principals&gt;
  &lt;Settings&gt;
    &lt;MultipleInstancesPolicy&gt;Parallel&lt;/MultipleInstancesPolicy&gt;
    &lt;DisallowStartIfOnBatteries&gt;true&lt;/DisallowStartIfOnBatteries&gt;
    &lt;StopIfGoingOnBatteries&gt;true&lt;/StopIfGoingOnBatteries&gt;
    &lt;AllowHardTerminate&gt;true&lt;/AllowHardTerminate&gt;
    &lt;StartWhenAvailable&gt;false&lt;/StartWhenAvailable&gt;
    &lt;RunOnlyIfNetworkAvailable&gt;false&lt;/RunOnlyIfNetworkAvailable&gt;
    &lt;IdleSettings&gt;
      &lt;StopOnIdleEnd&gt;true&lt;/StopOnIdleEnd&gt;
      &lt;RestartOnIdle&gt;false&lt;/RestartOnIdle&gt;
    &lt;/IdleSettings&gt;
    &lt;AllowStartOnDemand&gt;true&lt;/AllowStartOnDemand&gt;
    &lt;Enabled&gt;true&lt;/Enabled&gt;
    &lt;Hidden&gt;false&lt;/Hidden&gt;
    &lt;RunOnlyIfIdle&gt;false&lt;/RunOnlyIfIdle&gt;
    &lt;WakeToRun&gt;false&lt;/WakeToRun&gt;
    &lt;ExecutionTimeLimit&gt;PT0S&lt;/ExecutionTimeLimit&gt;
    &lt;Priority&gt;7&lt;/Priority&gt;
  &lt;/Settings&gt;
  &lt;Actions Context="Author"&gt;
    &lt;Exec&gt;
      &lt;Command&gt;C:\metE.exe&lt;/Command&gt;
    &lt;/Exec&gt;
  &lt;/Actions&gt;
&lt;/Task&gt;</Data><Data Name='ClientProcessStartKey'>158470411888107188</Data><Data Name='ClientProcessId'>14944</Data><Data Name='ParentProcessId'>19844</Data><Data Name='RpcCallClientLocality'>0</Data><Data Name='FQDN'>win-host-987.attackrange.local</Data></EventData></Event>

and for 4699:

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4699</EventID><Version>1</Version><Level>0</Level><Task>12804</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2026-06-30T08:17:42.9828414Z'/><EventRecordID>95483095</EventRecordID><Correlation ActivityID='{20c46fa1-5a43-4317-bd35-a47e8051d3f1}'/><Execution ProcessID='1212' ThreadID='8460'/><Channel>Security</Channel><Computer>win-host-987.attackrange.local</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data Name='SubjectUserName'>Administrator</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x9ab408a</Data><Data Name='TaskName'>\evilTask</Data><Data Name='TaskContent'></Data><Data Name='ClientProcessStartKey'>158470411888107188</Data><Data Name='ClientProcessId'>14944</Data><Data Name='ParentProcessId'>19844</Data><Data Name='RpcCallClientLocality'>0</Data><Data Name='FQDN'>win-host-987.attackrange.local</Data></EventData></Event>

It's scrubbed data from a dev system.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cheers. I will take care of it and upload the necessary data

@nasbench nasbench added this to the V6.3.0 milestone Jul 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants