Detects the execution of Scheduled Tasks where the program being run is located in a suspicious location or where it is an unusual program to be run from a Scheduled Task

Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands

Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence

Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges

Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities

Detects OilRig registry persistence as reported by Nyotron in their March 2018 report

Detects the creation of a schtask via PowerSploit or Empire Default Configuration.

Detects manual execution of the "Microsoft Compatibility Appraiser" task via schtasks. In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" registry key.

Detects the creation of scheduled tasks that involves a temporary folder and runs only once

Detects the creation of scheduled tasks in user session

Detects scheduled task creations that have suspicious action command and folder combinations

Detects suspicious scheduled task creations from a parent stored in a temporary folder

Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location Attackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on Instead they modify the task after creation to include their malicious payload

Detects creation of a scheduled task with a GUID like name

Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type

Detects scheduled task creations or modification on a suspicious schedule type

Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task

Detects update to a scheduled task event that contain suspicious keywords.

Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell.

Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader

Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.

Detects the creation of a schtask that executes a file from C:\Users<USER>\AppData\Local

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code

Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \TASKNAME

Detects the process creation from Scheduled Task with REGSVR32 (regsvr32.exe), -s flag and SYSTEM in the command line

Detects the creation of Scheduled Task with REGSVR32 (regsvr32.exe) and C$ in the image path field

Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell.

Detects potential persistence behaviour using the windows telemetry registry key. Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type.

Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious

Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale