Persistence via Scheduled Job Creation

calendar Mar 26, 2025 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Persistence Data Source: Elastic Endgame Data Source: Elastic Defend Data Source: Sysmon Data Source: SentinelOne Data Source: Microsoft Defender for Endpoint Resources: Investigation Guide  ·
Share on: linkedin copy

A job can be used to schedule programs or scripts to be executed at a specified date and time. Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2021/03/15"
  3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10A job can be used to schedule programs or scripts to be executed at a specified date and time. Adversaries may abuse
 11task scheduling functionality to facilitate initial or recurring execution of malicious code.
 12"""
 13false_positives = ["Legitimate scheduled jobs may be created during installation of new software."]
 14from = "now-9m"
 15index = [
 16    "winlogbeat-*",
 17    "logs-endpoint.events.file-*",
 18    "logs-windows.sysmon_operational-*",
 19    "endgame-*",
 20    "logs-sentinel_one_cloud_funnel.*",
 21    "logs-m365_defender.event-*",
 22]
 23language = "eql"
 24license = "Elastic License v2"
 25name = "Persistence via Scheduled Job Creation"
 26note = """## Triage and analysis
 27
 28> **Disclaimer**:
 29> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 30
 31### Investigating Persistence via Scheduled Job Creation
 32
 33Scheduled jobs in Windows environments allow tasks to be automated by executing scripts or programs at specified times. Adversaries exploit this feature to maintain persistence by scheduling malicious code execution. The detection rule identifies suspicious job creation by monitoring specific file paths and extensions, excluding known legitimate processes, to flag potential abuse while minimizing false positives.
 34
 35### Possible investigation steps
 36
 37- Review the file path and extension to confirm the presence of a scheduled job in the "?:\\Windows\\Tasks\\" directory with a ".job" extension, which is indicative of a scheduled task.
 38- Examine the process executable path to determine if the job creation is associated with any known legitimate processes, such as CCleaner or ManageEngine, which are excluded in the detection rule.
 39- Investigate the origin of the process that created the scheduled job by checking the process execution history and command line arguments to identify any potentially malicious behavior.
 40- Analyze the scheduled job's content and associated scripts or programs to identify any suspicious or unauthorized code that may indicate malicious intent.
 41- Correlate the event with other security logs and alerts from data sources like Elastic Endgame, Sysmon, or Microsoft Defender for Endpoint to gather additional context and identify any related malicious activity.
 42- Assess the risk and impact of the scheduled job by determining if it aligns with known adversary tactics, techniques, and procedures (TTPs) related to persistence, as outlined in the MITRE ATT&CK framework.
 43
 44### False positive analysis
 45
 46- Scheduled jobs created by CCleaner for crash reporting can trigger false positives. Exclude the path "?:\\Windows\\Tasks\\CCleanerCrashReporting.job" when the process executable is "?:\\Program Files\\CCleaner\\CCleaner64.exe".
 47- ManageEngine UEMS Agent and DesktopCentral Agent may create scheduled jobs for updates, leading to false positives. Exclude the path "?:\\Windows\\Tasks\\DCAgentUpdater.job" when the process executable is "?:\\Program Files (x86)\\ManageEngine\\UEMS_Agent\\bin\\dcagentregister.exe" or "?:\\Program Files (x86)\\DesktopCentral_Agent\\bin\\dcagentregister.exe".
 48- Regularly review and update exclusion lists to ensure they reflect the current environment and legitimate software behavior.
 49- Consider implementing a whitelist of known legitimate processes and paths to further reduce false positives while maintaining effective threat detection.
 50
 51### Response and remediation
 52
 53- Immediately isolate the affected system from the network to prevent further execution of potentially malicious scheduled jobs and limit lateral movement.
 54- Terminate any suspicious processes associated with the identified scheduled job, using tools like Task Manager or PowerShell, to halt any ongoing malicious activity.
 55- Delete the suspicious scheduled job file from the system to prevent future execution. This can be done using the Task Scheduler or command-line tools.
 56- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) solutions to identify and remove any additional malicious files or remnants.
 57- Review and audit other scheduled tasks on the system to ensure no additional unauthorized or suspicious jobs are present.
 58- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if other systems are affected.
 59- Implement enhanced monitoring and alerting for scheduled job creation activities across the network to detect similar threats in the future, leveraging the specific query fields used in the detection rule."""
 60risk_score = 47
 61rule_id = "1327384f-00f3-44d5-9a8c-2373ba071e92"
 62severity = "medium"
 63tags = [
 64    "Domain: Endpoint",
 65    "OS: Windows",
 66    "Use Case: Threat Detection",
 67    "Tactic: Persistence",
 68    "Data Source: Elastic Endgame",
 69    "Data Source: Elastic Defend",
 70    "Data Source: Sysmon",
 71    "Data Source: SentinelOne",
 72    "Data Source: Microsoft Defender for Endpoint",
 73    "Resources: Investigation Guide",
 74]
 75timestamp_override = "event.ingested"
 76type = "eql"
 77
 78query = '''
 79file where host.os.type == "windows" and event.type != "deletion" and
 80  file.path : "?:\\Windows\\Tasks\\*" and file.extension : "job" and
 81  not (
 82    (
 83      process.executable : "?:\\Program Files\\CCleaner\\CCleaner64.exe" and
 84      file.path : "?:\\Windows\\Tasks\\CCleanerCrashReporting.job"
 85    ) or
 86    (
 87      process.executable : (
 88        "?:\\Program Files (x86)\\ManageEngine\\UEMS_Agent\\bin\\dcagentregister.exe",
 89        "?:\\Program Files (x86)\\DesktopCentral_Agent\\bin\\dcagentregister.exe"
 90      ) and
 91      file.path : "?:\\Windows\\Tasks\\DCAgentUpdater.job"
 92    )
 93  )
 94'''
 95
 96
 97[[rule.threat]]
 98framework = "MITRE ATT&CK"
 99[[rule.threat.technique]]
100id = "T1053"
101name = "Scheduled Task/Job"
102reference = "https://attack.mitre.org/techniques/T1053/"
103[[rule.threat.technique.subtechnique]]
104id = "T1053.005"
105name = "Scheduled Task"
106reference = "https://attack.mitre.org/techniques/T1053/005/"
107
108
109
110[rule.threat.tactic]
111id = "TA0003"
112name = "Persistence"
113reference = "https://attack.mitre.org/tactics/TA0003/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Persistence via Scheduled Job Creation

Scheduled jobs in Windows environments allow tasks to be automated by executing scripts or programs at specified times. Adversaries exploit this feature to maintain persistence by scheduling malicious code execution. The detection rule identifies suspicious job creation by monitoring specific file paths and extensions, excluding known legitimate processes, to flag potential abuse while minimizing false positives.

Possible investigation steps

  • Review the file path and extension to confirm the presence of a scheduled job in the "?:\Windows\Tasks" directory with a ".job" extension, which is indicative of a scheduled task.
  • Examine the process executable path to determine if the job creation is associated with any known legitimate processes, such as CCleaner or ManageEngine, which are excluded in the detection rule.
  • Investigate the origin of the process that created the scheduled job by checking the process execution history and command line arguments to identify any potentially malicious behavior.
  • Analyze the scheduled job's content and associated scripts or programs to identify any suspicious or unauthorized code that may indicate malicious intent.
  • Correlate the event with other security logs and alerts from data sources like Elastic Endgame, Sysmon, or Microsoft Defender for Endpoint to gather additional context and identify any related malicious activity.
  • Assess the risk and impact of the scheduled job by determining if it aligns with known adversary tactics, techniques, and procedures (TTPs) related to persistence, as outlined in the MITRE ATT&CK framework.

False positive analysis

  • Scheduled jobs created by CCleaner for crash reporting can trigger false positives. Exclude the path "?:\Windows\Tasks\CCleanerCrashReporting.job" when the process executable is "?:\Program Files\CCleaner\CCleaner64.exe".
  • ManageEngine UEMS Agent and DesktopCentral Agent may create scheduled jobs for updates, leading to false positives. Exclude the path "?:\Windows\Tasks\DCAgentUpdater.job" when the process executable is "?:\Program Files (x86)\ManageEngine\UEMS_Agent\bin\dcagentregister.exe" or "?:\Program Files (x86)\DesktopCentral_Agent\bin\dcagentregister.exe".
  • Regularly review and update exclusion lists to ensure they reflect the current environment and legitimate software behavior.
  • Consider implementing a whitelist of known legitimate processes and paths to further reduce false positives while maintaining effective threat detection.

Response and remediation

  • Immediately isolate the affected system from the network to prevent further execution of potentially malicious scheduled jobs and limit lateral movement.
  • Terminate any suspicious processes associated with the identified scheduled job, using tools like Task Manager or PowerShell, to halt any ongoing malicious activity.
  • Delete the suspicious scheduled job file from the system to prevent future execution. This can be done using the Task Scheduler or command-line tools.
  • Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) solutions to identify and remove any additional malicious files or remnants.
  • Review and audit other scheduled tasks on the system to ensure no additional unauthorized or suspicious jobs are present.
  • Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if other systems are affected.
  • Implement enhanced monitoring and alerting for scheduled job creation activities across the network to detect similar threats in the future, leveraging the specific query fields used in the detection rule.

Related rules

to-top