Suspicious Scheduled Task Creation via Masqueraded XML File

Oct 23, 2025 · attack.privilege-escalation attack.execution attack.defense-evasion attack.persistence attack.t1036.005 attack.t1053.005 ·

Share on:

Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence

Sigma rule (View on GitHub)

 1title: Suspicious Scheduled Task Creation via Masqueraded XML File
 2id: dd2a821e-3b07-4d3b-a9ac-929fe4c6ca0c
 3status: test
 4description: Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence
 5references:
 6    - https://learn.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml-
 7    - https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml
 8author: Swachchhanda Shrawan Poudel, Elastic (idea)
 9date: 2023-04-20
10modified: 2024-12-01
11tags:
12    - attack.privilege-escalation
13    - attack.execution
14    - attack.defense-evasion
15    - attack.persistence
16    - attack.t1036.005
17    - attack.t1053.005
18logsource:
19    product: windows
20    category: process_creation
21detection:
22    selection_img:
23        - Image|endswith: '\schtasks.exe'
24        - OriginalFileName: 'schtasks.exe'
25    selection_cli_create:
26        CommandLine|contains:
27            - '/create'
28            - '-create'
29    selection_cli_xml:
30        CommandLine|contains:
31            - '/xml'
32            - '-xml'
33    filter_main_extension_xml:
34        CommandLine|contains: '.xml'
35    filter_main_system_process:
36        IntegrityLevel:
37            - 'System'
38            - 'S-1-16-16384'
39    filter_main_rundll32:
40        ParentImage|endswith: '\rundll32.exe'
41        ParentCommandLine|contains|all:
42            - ':\WINDOWS\Installer\MSI'
43            - '.tmp,zzzzInvokeManagedCustomActionOutOfProc'
44    filter_optional_third_party:
45        ParentImage|endswith:
46            # Consider removing any tools that you don't use to avoid blind spots
47            - ':\ProgramData\OEM\UpgradeTool\CareCenter_*\BUnzip\Setup_msi.exe'
48            - ':\Program Files\Axis Communications\AXIS Camera Station\SetupActions.exe'
49            - ':\Program Files\Axis Communications\AXIS Device Manager\AdmSetupActions.exe'
50            - ':\Program Files (x86)\Zemana\AntiMalware\AntiMalware.exe'
51            - ':\Program Files\Dell\SupportAssist\pcdrcui.exe'
52    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
53falsepositives:
54    - Unknown
55level: medium

References

Daily Trigger Example (XML) - Win32 apps

The XML in this example defines a task that starts Notepad at 8 00 AM every day.

Read More
protections-artifacts/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml at 084067123d3328a823b1c3fdde305b694275c794 · elastic/protections-artifacts

Elastic Security detection content for Endpoint. Contribute to elastic/protections-artifacts development by creating an account on GitHub.

Read More

Suspicious Scheduled Task Creation via Masqueraded XML File

Sigma rule (View on GitHub)

References

Daily Trigger Example (XML) - Win32 apps

protections-artifacts/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml at 084067123d3328a823b1c3fdde305b694275c794 · elastic/protections-artifacts

Related rules