Schtasks.exe used to force a reboot
Schtasks.exe is Windows' Scheduled Tasks tool. This search looks for flags passed to schtasks.exe on the command line that indicate that a forced reboot of system is scheduled. Ransomware authors have been seen to use schtasks.exe to achieve persistence in compromised environments.
Data required
Procedure
- Content developed by the Splunk Security Research team requires the use of consistent, normalized data provided by the Common Information Model (CIM). For information on installing and using the CIM, see the Common Information Model documentation. To run this search, your deployment needs to be ingesting logs with both the process name and command-line from your endpoints to populate the Endpoint data model in the Processes node. If you are using Sysmon, you must have at least version 6.0.4.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
| tstats allow_old_summaries=true values("Processes.process") AS process, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE ("Processes.process_name"=schtasks.exe "Processes.process"="*shutdown*" "Processes.process"="*/create *") BY "Processes.process_name", "Processes.parent_process_name", "Processes.dest", "Processes.user"
| rename "Processes.*" AS "*"
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime)
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search | Explanation |
---|---|
| tstats allow_old_summaries=true values("Processes.process") AS process, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE ("Processes.process_name"=schtasks.exe "Processes.process"="*shutdown*" "Processes.process"="*/create *") BY "Processes.process_name", "Processes.parent_process_name", "Processes.dest", "Processes.user" | Query the Endpoint.Processes data model object to search for schtasks.exe launching with parameters that force a reboot. Sort first by process name, then parent process name, destination and user. |
| rename "Processes.*" AS "*" | Rename data model fields for better readability. |
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime) |
Convert these times into readable strings. |
Next steps
False positives from this search may occur because administrators may create jobs on systems, forcing reboots to perform upgrades or maintenance for legitimate reasons.
If you receive clear positive results from this search, start your incident response process for dealing with a ransomware infection. You should check for recent backups for the systems affected by the infection.
Another tactic you may want to search for is attackers using schtasks.exe to register binaries or scripts to run from a public directory.
Finally, you might be interested in other processes associated with the Detecting a ransomware attack use case.