MATCH-S00170.md

Rules: Windows - Scheduled Task Creation

Description

A scheduled task was created in Windows or Azure. It is common for system administrators and approved software to create scheduled tasks, but adversaries are known to use them for persistence within a Windows environment. This rule is disabled by default due to the volume of events it can produce. Users should filter/exclude allowed scheduled tasks according to their environment before enabling the rule. The scheduled task name is logged in the "commandLine" field.

Additional Details

Detail	Value
Type	Templated Match
Category	Persistence
Apply Risk to Entities	device_hostname, device_ip, user_username
Signal Name	Windows - Scheduled Task Creation
Summary Expression	Detected scheduled trask creation on host: {{device_hostname}}
Score/Severity	Static: 1
Enabled by Default	False
Prototype	False
Tags	_mitreAttackTactic:TA0002, _mitreAttackTactic:TA0003, _mitreAttackTactic:TA0004, _mitreAttackTechnique:T1053, _mitreAttackTechnique:T1053.005

Vendors and Products

• CrowdStrike - FDR
• Cylance - Protect
• Microsoft - Azure
• Microsoft - Windows
• VMware - Carbon Black Cloud

Fields Used

Origin	Field
Normalized Schema	baseImage
Normalized Schema	commandLine
Normalized Schema	device_hostname
Normalized Schema	device_ip
Normalized Schema	user_username