edr-win-lat-schtasks-remote

```yaml title: Native schtasks Remote Task Creation with UNC Target id: edr-win-lat-schtasks-remote status: experimental description: > Detects native schtasks.exe abuse for lateral movement via the ATSvc / TSSched DCERPC interfaces. Operators use schtasks /S <target> to create, run, and often immediately delete a scheduled task on a remote host. The behavioral chokepoint is a remote task whose /TR (task command) points at a UNC path — the target is about to execute something it does not have on disk. Covers TheGentlemen's --spread module (Check Point DFIR, Apr 2026) and any ransomware using raw schtasks rather than Impacket AtExec. Separate from edr-win-lat-impacket-wmiexec, which covers AtExec's output-redirection fingerprint target-side. references: - https://research.checkpoint.com/2026/dfir-report-the-gentlemen/ - https://attack.mitre.org/techniques/T1053/005/ - https://attack.mitre.org/techniques/T1021/002/ author: ShroudCloud date: 2026/04/20 tags: - attack.lateral_movement - attack.execution - attack.persistence - attack.t1053.005 - attack.t1021.002 logsource: category: process_creation product: windows detection: selection_source_remote: Image|endswith: '\schtasks.exe' CommandLine|contains: '/S ' selection_source_runas_system: Image|endswith: '\schtasks.exe' CommandLine|contains|all: - '/S ' - '/RU' CommandLine|contains: - 'SYSTEM' - '"NT AUTHORITY\SYSTEM"' selection_source_unc_tr: Image|endswith: '\schtasks.exe' CommandLine|contains|all: - '/S ' - '/TR' - '\\\\' filter_gpo_source: ParentImage|endswith: - '\gpscript.exe' - '\taskhostw.exe' condition: (selection_source_remote and (selection_source_runas_system or selection_source_unc_tr)) and not filter_gpo_source falsepositives: - Legitimate admin scripts or deployment tooling creating remote scheduled tasks — baseline by source host and user - GPO-driven task deployment (filtered when parent is gpscript.exe) level: high ``` ## Detection Logic Notes ### Why this rule exists separately from `edr-win-lat-impacket-wmiexec` That rule covers Impacket AtExec's target-side output-redirection pattern (`cmd.exe → C:\Windows\Temp\...` with `&1`). This rule covers the native `schtasks.exe` source-side invocation — a different evidence path: - **Impacket AtExec:** Python client (often invisible) → target sees `svchost.exe`/`taskeng.exe` spawning `cmd.exe` with Windows\Temp redirection - **Native `schtasks /S`:** visible source-side binary with `/S <remote>` + `/RU SYSTEM` + UNC `/TR`; target sees Event ID 4698 but no redirection artifact ### The behavioral chokepoint Legitimate admin use of `schtasks /S` is rare. When it happens, tasks are almost always pointed at locally-installed binaries. A remote task whose `/TR` points at `\\<source>\...` is binary-grade anomaly: the target will fetch the executable from the network at the scheduled time. This is operator tradecraft, not enterprise admin. ### Complementary target-side detection Pair this rule with Security Event ID 4698 monitoring for tasks whose `Actions/Exec/Command` contains a UNC path, especially when the task trigger is `/SC ONCE`. That gives you coverage when the source-side `schtasks.exe` telemetry is missing (e.g., operator executing from an unmanaged host). ### Known limitation If the operator uses PowerShell's `Register-ScheduledTask -CimSession <target>` or the `ScheduledTasks` module, `schtasks.exe` is never invoked and this rule misses. That path is rarer in ransomware IR but worth baselining if you see it in your environment.