Scheduled Tasks From App Data Created Or Updated
Query
let Filters = dynamic(['AppData', '%localappdata%', '%appdata%']);
let Exclusions = dynamic([@'\\Microsoft\\OneDrive\\OneDriveStandaloneUpdater.exe', 'OneDriveLauncher.exe']);
DeviceEvents
| where ActionType in ('ScheduledTaskCreated', 'ScheduledTaskUpdated')
| where AdditionalFields has_any (Filters)
| extend ParsedAdditionalFields = parse_json(AdditionalFields)
| extend ScheduledTaskName = ParsedAdditionalFields.TaskName, Details = parse_json(ParsedAdditionalFields.TaskContent)
| where not(Details has_any (Exclusions))
| project-reorder Timestamp, DeviceName, ActionType, InitiatingProcessAccountUpn, ScheduledTaskName, DetailsAbout this query
Explanation
This query is designed to identify scheduled tasks on a system that have been created or updated with executables or scripts located in the AppData directory. This directory is often used by attackers to maintain persistence on a system without needing administrative privileges. The query specifically looks for tasks that are not related to OneDrive, as these are known to be false positives.
Here's a breakdown of what the query does:
-
Filters and Exclusions: It sets up filters to look for tasks associated with the
AppDatadirectory and excludes known benign tasks related to OneDrive. -
Data Source: It examines device events, specifically those indicating the creation or update of scheduled tasks.
-
Task Details: It extracts and parses additional fields to get the task name and content details.
-
Exclusion of False Positives: It ensures that tasks related to OneDrive are not included in the results.
-
Output: The query outputs relevant information such as the timestamp, device name, action type, user account, task name, and task details.
Overall, this query helps in detecting potential malicious activities by identifying suspicious scheduled tasks that could indicate malware persistence.
