elastic · tradebot-elastic · May 5, 2026
@@ -0,0 +1,149 @@
+[[prebuilt-rule-8-19-23-a-scheduled-task-was-created]]
+=== A scheduled task was created
+
+Indicates the creation of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges.
+
+*Rule type*: eql
+
+*Rule indices*: 
+
+* logs-system.security*
+* logs-windows.forwarded*
+* winlogbeat-*
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 5m
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*: 
+
+* https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698
+
+*Tags*: 
+
+* Domain: Endpoint
+* OS: Windows
+* Use Case: Threat Detection
+* Tactic: Persistence
+* Data Source: Windows Security Event Logs
+* Resources: Investigation Guide
+
+*Version*: 115
+
+*Rule authors*: 
+
+* Elastic
+
+*Rule license*: Elastic License v2
+
+
+==== Investigation guide
+
+
+
+*Triage and analysis*
+
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+
+*Investigating A scheduled task was created*
+
+
+Scheduled tasks in Windows automate routine tasks, enhancing efficiency. However, adversaries exploit this feature to maintain persistence, move laterally, or escalate privileges by creating malicious tasks. The detection rule identifies suspicious task creation by filtering out benign tasks and those initiated by system accounts, focusing on potential threats. This approach helps security analysts pinpoint unauthorized task creation indicative of malicious activity.
+
+
+*Possible investigation steps*
+
+
+- Review the user account associated with the task creation to determine if it is a known and authorized user, ensuring it is not a system account by checking that the username does not end with a dollar sign.
+- Examine the task name and path in the event data to identify if it matches any known benign tasks or if it appears suspicious or unfamiliar.
+- Investigate the origin of the task creation by checking the source IP address or hostname, if available, to determine if it aligns with expected network activity.
+- Check the task's scheduled actions and triggers to understand what the task is designed to execute and when, looking for any potentially harmful or unexpected actions.
+- Correlate the task creation event with other security events or logs around the same time to identify any related suspicious activities or anomalies.
+
+
+*False positive analysis*
+
+
+- Scheduled tasks created by system accounts or computer accounts are often benign. These can be excluded by filtering out user names ending with a dollar sign, which typically represent system accounts.
+- Tasks associated with common software updates or maintenance, such as those from Hewlett-Packard or Microsoft Visual Studio, are generally non-threatening. These can be excluded by specifying their full task names in the exclusion list.
+- OneDrive update tasks are frequently triggered and are usually safe. Exclude these by using patterns that match their task names, such as those starting with "OneDrive Standalone Update Task".
+- Regularly review and update the exclusion list to include any new benign tasks that are identified over time, ensuring that the rule remains effective without generating unnecessary alerts.
+
+
+*Response and remediation*
+
+
+- Immediately isolate the affected system from the network to prevent potential lateral movement by the adversary.
+- Terminate any suspicious scheduled tasks identified by the alert to halt any ongoing malicious activity.
+- Conduct a thorough review of the system's scheduled tasks to identify and remove any other unauthorized or suspicious tasks.
+- Restore the system from a known good backup if any malicious activity has been confirmed and has potentially compromised system integrity.
+- Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited.
+- Monitor the system and network for any signs of re-infection or further unauthorized scheduled task creation.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
+
+==== Setup
+
+
+
+*Setup*
+
+
+Audit Other Object Access Events must be enabled to generate the events used by this rule.
+Setup instructions: https://ela.st/audit-other-object-access-events
+
+
+==== Rule query
+
+
+[source, js]
+----------------------------------
+iam where host.os.type == "windows" and event.action == "scheduled-task-created" and
+
+ /* excluding tasks created by the computer account */
+ not user.name : "*$" and
+
+ /* TaskContent is not parsed, exclude by full taskname noisy ones */
+ not winlog.event_data.TaskName : (
+              "\\CreateExplorerShellUnelevatedTask",
+              "\\Hewlett-Packard\\HPDeviceCheck",
+              "\\Hewlett-Packard\\HP Support Assistant\\WarrantyChecker",
+              "\\Hewlett-Packard\\HP Support Assistant\\WarrantyChecker_backup",
+              "\\Hewlett-Packard\\HP Web Products Detection",
+              "\\Microsoft\\VisualStudio\\Updates\\BackgroundDownload",
+              "\\OneDrive Standalone Update Task-S-1-5-21*",
+              "\\OneDrive Standalone Update Task-S-1-12-1-*",
+              "\\SoftLanding\\S-1-5-21-*\\SoftLanding*",
+              "\\SoftLanding\\S-1-12-*\\SoftLanding*",
+              "\\OneDrive Reporting Task-S-1-5-21-*",
+              "\\OneDrive Reporting Task-S-1-12-1-*",
+              "\\GoogleUserPEH\\RunPlatformExperienceHelper*",
+              "\\Mozilla\\Firefox Default Browser Agent*",
+              "\\Microsoft\\Office\\Office Background Push Maintenance",
+              "\\Microsoft\\Windows\\GroupPolicy\\GPUpdate"
+ )
+
+----------------------------------
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Persistence
+** ID: TA0003
+** Reference URL: https://attack.mitre.org/tactics/TA0003/
+* Technique:
+** Name: Scheduled Task/Job
+** ID: T1053
+** Reference URL: https://attack.mitre.org/techniques/T1053/
+* Sub-technique:
+** Name: Scheduled Task
+** ID: T1053.005
+** Reference URL: https://attack.mitre.org/techniques/T1053/005/
@@ -0,0 +1,131 @@
+[[prebuilt-rule-8-19-23-abnormally-large-dns-response]]
+=== Abnormally Large DNS Response
+
+Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers, resulting in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service.
+
+*Rule type*: query
+
+*Rule indices*: 
+
+* logs-network_traffic.*
+* logs-panw.panos*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5m
+
+*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*: 
+
+* https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/
+* https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/
+* https://github.com/maxpl0it/CVE-2020-1350-DoS
+* https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability
+
+*Tags*: 
+
+* Use Case: Threat Detection
+* Tactic: Lateral Movement
+* Tactic: Impact
+* Resources: Investigation Guide
+* Use Case: Vulnerability
+* Data Source: PAN-OS
+* Data Source: Network Traffic
+
+*Version*: 110
+
+*Rule authors*: 
+
+* Elastic
+
+*Rule license*: Elastic License v2
+
+
+==== Investigation guide
+
+
+
+*Triage and analysis*
+
+
+
+*Investigating Abnormally Large DNS Response*
+
+
+Detection alerts from this rule indicate possible anomalous activity around large byte DNS responses from a Windows DNS server. This detection rule was created based on activity represented in exploitation of vulnerability (CVE-2020-1350) also known as https://www.elastic.co/blog/detection-rules-for-sigred-vulnerability[SigRed] during July 2020.
+
+
+*Possible investigation steps*
+
+
+- This specific rule is sourced from network log activity such as DNS or network level data. It's important to validate the source of the incoming traffic and determine if this activity has been observed previously within an environment.
+- Activity can be further investigated and validated by reviewing any associated Intrusion Detection Signatures (IDS) alerts.
+- Further examination can include a review of the `dns.question_type` network fieldset with a protocol analyzer, such as Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data.
+- Validate the patch level and OS of the targeted DNS server to validate the observed activity was not large-scale internet vulnerability scanning.
+- Validate that the source of the network activity was not from an authorized vulnerability scan or compromise assessment.
+
+
+*False positive analysis*
+
+
+- Based on this rule, which looks for a threshold of 60k bytes, it is possible for activity to be generated under 65k bytes and related to legitimate behavior. In packet capture files received by the https://isc.sans.edu/forums/diary/PATCH+NOW+SIGRed+CVE20201350+Microsoft+DNS+Server+Vulnerability/26356/[SANS Internet Storm Center], byte responses were all observed as greater than 65k bytes.
+- This activity can be triggered by compliance/vulnerability scanning or compromise assessment; it's important to determine the source of the activity and potentially allowlist the source host.
+
+
+*Related rules*
+
+
+- Unusual Child Process of dns.exe - 8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45
+- Unusual File Modification by dns.exe - c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9
+
+
+*Response and remediation*
+
+
+- Initiate the incident response process based on the outcome of the triage.
+- Ensure that you have deployed the latest Microsoft https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350[Security Update] (Monthly Rollup or Security Only) and restarted the patched machines. If unable to patch immediately, Microsoft https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability[released] a registry-based workaround that doesn’t require a restart. This can be used as a temporary solution before the patch is applied.
+- Maintain backups of your critical systems to aid in quick recovery.
+- Perform routine vulnerability scans of your systems, monitor https://us-cert.cisa.gov/ncas/current-activity[CISA advisories] and patch identified vulnerabilities.
+- If you observe a true positive, implement a remediation plan and monitor host-based artifacts for additional post-exploitation behavior.
+
+
+==== Rule query
+
+
+[source, js]
+----------------------------------
+((event.category:(network or network_traffic) and destination.port:53) 
+      or network.protocol:"dns" 
+      or data_stream.dataset:(network_traffic.dns or zeek.dns))
+    and destination.bytes > 60000
+    and event.type:("allowed" or "end" or "protocol" or "start")
+
+----------------------------------
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Lateral Movement
+** ID: TA0008
+** Reference URL: https://attack.mitre.org/tactics/TA0008/
+* Technique:
+** Name: Exploitation of Remote Services
+** ID: T1210
+** Reference URL: https://attack.mitre.org/techniques/T1210/
+* Tactic:
+** Name: Impact
+** ID: TA0040
+** Reference URL: https://attack.mitre.org/tactics/TA0040/
+* Technique:
+** Name: Endpoint Denial of Service
+** ID: T1499
+** Reference URL: https://attack.mitre.org/techniques/T1499/
+* Sub-technique:
+** Name: Application or System Exploitation
+** ID: T1499.004
+** Reference URL: https://attack.mitre.org/techniques/T1499/004/