HackTool - Default PowerSploit/Empire Scheduled Task Creation

About the rule

Rule Type

Standard

Rule Description

Detects the creation of a schtask via PowerSploit or Empire Default Configuration.

Severity

Trouble

Rule journey

Attack chain scenario

Initial compromise → Framework execution → Task creation → Alert triggered → Privilege escalation → C2 communication

Impact

• Persistent access
• Privilege escalation
• Evasion techniques
• Command execution

Rule Requirement

Prerequisites

• Using Windows event viewer:

To enable detailed process auditing with command line tracking, first log in to a domain controller using domain admin credentials. Open the Group Policy Management Console (GPMC) by typing gpmc.msc in the Run dialog. You can either create a new Group Policy Object (GPO) or edit an existing one linked to the relevant organizational unit (OU). Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Detailed Tracking. Enable both Audit Process Creation and Audit Process Termination by right-clicking each, selecting Properties, choosing Configure the following audit events, and checking the Success box. To include command-line data in the logs, go to Computer Configuration > Administrative Templates > System > Audit Process Creation, enable the policy Include command line in process creation events, and click OK. Finally, create the registry key "Microsoft-Windows-Security-Auditing/Operational" under *Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog* to ensure the logging channel is active.

• Using Sysmon:

To begin, download and install Sysmon from Microsoft Sysinternals and run Command Prompt as an administrator. Create or obtain a Sysmon configuration file that includes process creation monitoring, then install Sysmon using the command sysmon.exe -i [configfile.xml]. Ensure the configuration includes a <ProcessCreate> rule to capture all process creation events. Finally, if it doesn't already exist, create the registry key "Microsoft-Windows-Sysmon/Operational" under Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ to enable event logging.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

• Execution: Scheduled Task/Job - Scheduled Task (T1053.005)
• Persistence: Scheduled Task/Job - Scheduled Task (T1053.005)
• Privilege Escalation: Scheduled Task/Job - Scheduled Task (T1053.005)
• Execution: Command and Scripting Interpreter - PowerShell (T1059.001)

Security Standards

Enabling this rule will help you meet the security standard's requirements listed below:

• NIST SP 800-53: AU-6 – Audit Review, Analysis, and Reporting
  Ensures that security-relevant events are reviewed and analyzed regularly.
  Enabling this rule helps identify unauthorized scheduled task creation via known attack tools, enabling timely analysis and reporting of malicious activity.
• NIST SP 800-53: SI-4 – System Monitoring
  Requires continuous monitoring for signs of attacks and unauthorized behavior.
  Triggering this rule helps by detecting Empire/PowerSploit persistence tactics, this rule supports proactive system monitoring for post-exploitation activities.
• NIST SP 800-53: AC-2 – Account Management
  Ensures that only authorized users and processes gain system access.
  Triggering this rule helps in detecting scheduled tasks created by unauthorized scripts can indicate misuse of accounts for persistence, aiding enforcement of access control.
• NIST SP 800-53: IR-5 – Incident Monitoring
  Requires tools to detect and respond to security incidents.
  Triggering this rule directly supports incident monitoring by flagging attacker behavior typical in post-compromise scenarios.
• NIST SP 800-137: Continuous Monitoring (ISCM)
  Mandates continuous assessment of security controls and risk posture.
  Triggering this rule helps in continuously detecting and monitoring systems for indicators of compromise linked to known attack frameworks.
• NIST SP 800-61: Computer Security Incident Handling Guide
  Provides guidance on detecting, analyzing, and responding to incidents.
  Triggering this rule supports early detection of attacker persistence techniques, enabling timely containment and response.

Author

Markus Neis, @Karneades

Future actions

Known False Positives

This rule might be triggered when legitimate administrators use PowerShell scripts to create scheduled tasks for automation or maintenance. It can also alert during authorized testing or red team exercises using Empire or similar tools.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify if the flagged event is a new incident or part of an existing incident.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
4. Containment: Isolate the affected host from the network to prevent lateral movement and further exploitation by the attacker.
5. Eradication: Remove the malicious scheduled task, disable the attacker's persistence mechanisms, and scan the system for additional backdoors or tools.

Mitigation