Suspicious Execution via Scheduled Task

This detection rule identifies suspicious program executions initiated by scheduled tasks on Windows systems. Adversaries often exploit scheduled tasks for persistence and to execute malicious programs. This rule focuses on detecting known malicious executables, such as PowerShell, Cmd, and MSHTA, when launched from unusual file paths like user directories or temporary folders. It leverages process lineage analysis, specifically looking for processes spawned by svchost.exe with the “Schedule” argument, to determine if the execution originated from a scheduled task. The rule aims to pinpoint potential threats effectively by excluding benign processes and focusing on suspicious combinations of executables and paths. The rule was last updated on 2026-05-04.

Attack Chain

1. An attacker gains initial access to the system (e.g., via phishing or exploiting a vulnerability).
2. The attacker creates or modifies a scheduled task to execute a malicious payload. This task is designed to run at a specific time or event.
3. The Windows Task Scheduler service (svchost.exe with “Schedule” argument) initiates the scheduled task.
4. The scheduled task executes a suspicious executable, such as powershell.exe, cmd.exe, or mshta.exe.
5. The suspicious executable is launched from an unusual or suspicious path, such as C:\\Users\\, C:\\ProgramData\\, or C:\\Windows\\Temp\\.
6. The executed payload performs malicious activities, such as downloading additional malware, establishing persistence, or exfiltrating data.
7. The attacker maintains persistence on the system through the scheduled task, allowing for repeated execution of the malicious payload.

Impact

Successful exploitation allows attackers to maintain persistent access to the compromised system, execute malicious code, and potentially escalate privileges. This can lead to data theft, system compromise, and further lateral movement within the network. The damage includes potential data exfiltration, malware installation, and disruption of normal system operations.

Recommendation

• Enable process creation logging with command line arguments to detect suspicious executions (logs-endpoint.events.process-* and logs-windows.sysmon_operational-*).
• Deploy the Sigma rule “Suspicious Execution via Scheduled Task” to your SIEM to identify potentially malicious processes executed via scheduled tasks. Tune the rule to exclude legitimate software installations or updates (see rule section below).
• Investigate any alerts generated by the Sigma rule, focusing on processes with suspicious original file names and command line arguments (process.pe.original_file_name, process.args).
• Monitor scheduled tasks for unauthorized modifications or additions, as this is a common technique for persistence (registry_set).