schedule task via ITaskService

rule:
  meta:
    name: schedule task via ITaskService
    namespace: persistence/scheduled-tasks
    authors:
      - michael.hunhoff@mandiant.com
    scopes:
      static: function
      dynamic: unsupported  # requires offset, bytes features
    att&ck:
      - Persistence::Scheduled Task/Job::Scheduled Task [T1053.005]
    references:
      - https://learn.microsoft.com/en-us/windows/win32/taskschd/taskservice
  features:
    - or:
      - and:
        - basic block:
          - and:
            - api: ole32.CoCreateInstance
            - bytes: 9F 36 87 0F E5 A4 FC 4C BD 3E 73 E6 15 45 72 DD = CLSID_TaskScheduler
            - bytes: C7 A4 AB 2F A9 4D 13 40 96 97 20 CC 3F D4 0F 85 = IID_ITaskService
        - offset: 0x24 = ppv->NewTask
      - and:
        - or:
          - string: /Microsoft\.Win32\.TaskScheduler\.TaskService/i
          - string: /TaskScheduler\.TaskService/i
          - string: /\bSchedule\.Service\b/i
        - or:
          - string: /\bRegisterTaskDefinition\b/i
          - string: /\bNewTask\b/i