| 1 | title: Scheduled Task Created via Security Log |
| 2 | id: 7f08d779-de77-47cd-9d21-48774fdb1225 |
| 3 | status: experimental |
| 4 | description: > |
| 5 | Detects creation of a scheduled task (Security event 4698). Scheduled tasks are a durable |
| 6 | persistence and execution mechanism; tuned to flag tasks running interpreters or binaries |
| 7 | from user-writable locations. |
| 8 | references: |
| 9 | - https://attack.mitre.org/techniques/T1053/005/ |
| 10 | author: Zion Boggan |
| 11 | date: 2026-05-14 |
| 12 | tags: |
| 13 | - attack.persistence |
| 14 | - attack.t1053.005 |
| 15 | - attack.execution |
| 16 | logsource: |
| 17 | product: windows |
| 18 | service: security |
| 19 | detection: |
| 20 | selection: |
| 21 | EventID: 4698 |
| 22 | selection_susp: |
| 23 | TaskContent|contains: |
| 24 | - 'powershell' |
| 25 | - 'mshta' |
| 26 | - 'rundll32' |
| 27 | - 'cmd.exe' |
| 28 | - '\AppData\' |
| 29 | - '\Temp\' |
| 30 | - '\Users\Public\' |
| 31 | condition: selection and selection_susp |
| 32 | falsepositives: |
| 33 | - Legitimate software and admin tasks; baseline scheduled tasks per environment. |
| 34 | level: medium |