Windows 4698
Martez Fields
The Who, Where and When information is very important for an administrator to have complete knowledge of all activities that occur on their Active Directory. This helps them identify any desired / undesired activity happening. ADAudit Plus assists an administrator with this information in the form of reports. In real-time, ensure critical resources in the network like the Domain Controllers are audited, monitored and reported with the entire information on AD objects - Users, Groups, GPO, Computer, OU, DNS, AD Schema and Configuration changes with 200+ detailed event specific GUI reports and email alerts.
Through real-time email and SMS alerts, ADAudit Plus notifies the administrator about the scheduled tasks as and when they are created on the windows server, thus helping you meet your security, operational, and compliance needs with absolute ease.
Scheduled Tasks are also a great weapon for attackers to employ because they are available on all Windows operating systems and are simple to use and most users are unaware that they exist. Even people who are knowledgeable may have difficulty determining which tasks are legitimate aspects of the operating system or apps they have installed and which of those are malicious. A number of threat groups are presently employing Scheduled Tasks to gain persistence. They could also be used to check for new content for a trojan or dropper on a regular basis via command and control channels.
To help automate recurring tasks, Windows include a mechanism of scheduling the launch of programs or scripts based on specific time intervals. If configured incorrectly, this can become a flaw, allowing attackers to escalate privileges to root.
Create a rule with EventID 4688, 4698 or 4702 or Sysmon EventID 1, where the execution of the script is initiated by script.exe, wscript.exe, rundll32.exe, wmic.exe, cmd.exe, mshta.exe & powershell.exe. Hunt with this rule to stop unwanted entries of adversaries.
For persistence, adversaries may use task scheduling to execute scripts at system startups or on a regular basis. Scheduled tasks should be configured properly, particularly when executed as root, as they could compromise the entire system. This has been using as an exploitation vector for a long time, as there has always been a demand for automation, and today more than ever, there is a need for automation.
We are currently forwarding Windows security event 4698 to Splunk, and would like to be able to parse/extract a number of the XML fields. Is there a way that Splunk can be configured to do this, or will we need to create custom field extractions for the XML fields that we are interested in?
Just messing around in my environment it looks like you can rex out the xml to another field and then use spath to find specific data in there. For example, this will put the xml for the task in a field called task_xml. Then pipe to spath and looking at that new field, grab the Action execution settings (putting it in a new field called action_command)
The following analytic detects the creation of scheduled tasks designed to execute commands using native Windows shells like PowerShell, Cmd, Wscript, or Cscript. It leverages Windows Security EventCode 4698 to identify when such tasks are registered. This activity is significant as it may indicate an attempt to establish persistence or execute malicious commands on a system. If confirmed malicious, this could allow an attacker to maintain access, execute arbitrary code, or escalate privileges, posing a severe threat to the environment.
We had a similar issue with some of the laptops. After spending the whole day trying to fix the problem following multiple controversial advice on the internet, I ran the Windows 10 Media Creation Tool =691209 keeping the files and applications to upgrade to the latest state. No other problems since then. One of the laptops kept showing a weird incompatibility error, so I had to use a USB -v.io/create-bootable-usb-windows to upgrade the edition.
I am recently assigned to a project that uses QIIME and i was assigned to a lab team that has been using qiime for a long time. However, all of them runs qiime on a mac and none of them has experience with using qiime on windows. Since i am a comp sci major, i have experience using virtualbox throughout my college years. Do you think if i work with qiime on windows i will run into difficulties with my other lab members being the only one using windows?
Hi Victoria_Alexandra,
If you have Windows 10, you can install Ubuntu (I mean Linux Subsystem for Windows) on it and then install qiime2 into it as part of the Windows. Basically, you will have a separate window with a new system and you can run qiime2 there.
On Windows systems, security event ID 4698 (A scheduled task was created) provides information on newly created scheduled tasks. It includes the TaskContent field, which contains an XML blob that captures key information on the scheduled task including the command to be executed.
Monitor for newly constructed scheduled jobs. If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. On Windows, enable the "Microsoft-Windows-TaskScheduler/Operational" setting within the event logging service where several events will then be logged on scheduled task activity, including:[2]
Monitor for newly constructed scheduled jobs. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc.
Monitor for newly constructed scheduled jobs by enabling the "Microsoft-Windows-TaskScheduler/Operational" setting within the event logging service. [2] Several events will then be logged on scheduled task activity, including: Event ID 106 on Windows 7, Server 2008 R2 - Scheduled task registered; Event ID 4698 on Windows 10, Server 2016 - Scheduled task created;Event ID 4700 on Windows 10, Server 2016 - Scheduled task enabled;Event ID 4701 on Windows 10, Server 2016 - Scheduled task disabled
Note: Detection of the creation or modification of Scheduled Tasks with a suspicious script, extension or user writable path. Attackers may create or modify Scheduled Tasks for the persistent execution of malicious code. This detection focuses at the same time on EventIDs 4688 and 1 with process creation (SCHTASKS) and EventID 4698, 4702 for Scheduled Task creation/modification event log.
On Windows, Event ID 4698 (Security Log - A scheduled task was created) can be used to alert on the creation of scheduled tasks and provides metadata including the task name and task content (as XML).
Watch the video below where we demonstrate how to simulate Lateral Movement techniques using Metasploit, Impacket and PurpleSharp. We then collect and analyze the resulting telemetry to test our detections using Splunk in a lab environment built with the Attack Range.
Lateral Movement techniques enable attackers to expand their access in the network and obtain code execution on remote systems. Threat actors are typically required to perform lateral movement as achieving operational success requires exploring the target network to find the objectives. Since lateral movement is often a necessary step in a breach, it is important for cyber defenders to deploy detection coverage.
The first step is to gain a good understanding of the telemetry generated by the execution of these techniques. This intelligence can drive our logging requirements as well as content prioritization.
From an authentication perspective, there are two main scenarios in which lateral movement can occur. These scenarios generate different authentication events on domain controllers as well as the source and target systems. Please note this is not intended to be a complete list.
A common vector available to attackers for moving laterally is to abuse command line administration tools available out of the box on Windows endpoints. Tools like sc.exe, wmic.exe, schtasks.exe, winrs.exe, PowerShell and others, can be abused to interact with remote services and obtain remote code execution.
Process and Command Line logging (Windows Security Event Id 4688, Sysmon, or any CIM compliant EDR technology) across all domain endpoints can help us identify compromised endpoints being used as a pivot to move laterally.
The goal of lateral movement is to ultimately obtain code execution on the target endpoint by spawning a malicious process. Abusing the mentioned administrative features introduces an interesting detection opportunity for blue teams: the offending process will be spawned from known parent processes. Looking for suspicious child processes spawned off of this list may uncover lateral movement behavior
Process and Command Line logging (Windows Security Event Id 4688, Sysmon, or any CIM compliant EDR technology) across all domain endpoints can help us identify the targets of lateral movement techniques.
The operators of the Ryuk ransomware, are known to leverage wmic.exe for lateral movement. NOBELIUM, the actor who carried out the most sophisticated nation-state cyber-attack in history, leveraged PowerShell and WMI as well as schtasks.exe to obtain remote code execution.
The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of PowerShell with arguments utilized to start a process on a remote endpoint by abusing the DCOM protocol. Specifically, this search looks for the abuse of ShellExecute and ExecuteShellCommand.
This analytic looks for the execution of powershell.exe with arguments utilized to start a process on a remote endpoint by abusing the DCOM protocol. Specifically, this search looks for the abuse of ShellExecute and ExecuteShellCommand.
The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of PowerShell with arguments utilized to start a process on a remote endpoint by abusing the WinRM protocol. Specifically, this search looks for the abuse of the Invoke-Command commandlet.