Scheduled-Task

Attackers bypass User Account Control (UAC) by hijacking the DiskCleanup Scheduled Task to stealthily execute code with elevated permissions on Windows systems.

This rule detects modifications to scheduled tasks by user accounts, excluding system activity and machine accounts, which adversaries can exploit for persistence by modifying them to execute malicious code.

Detection of on-demand execution of Windows Scheduled Tasks via the schtasks.exe command-line utility, a common technique for persistence and lateral movement.

Detection of scheduled task creation by Windows scripting engines like cscript.exe, wscript.exe, or powershell.exe, used by adversaries to establish persistence on compromised systems.

Attackers abuse Group Policy Objects by modifying scheduled task attributes to execute malicious commands across objects controlled by the GPO, potentially leading to privilege escalation and lateral movement.

This rule identifies remote scheduled task creations on a target Windows host, potentially indicating lateral movement by adversaries, by monitoring network connections and registry modifications related to task scheduling.

Adversaries may create scheduled tasks on Windows systems to establish persistence, move laterally, or escalate privileges, and this detection identifies such activity by monitoring Windows event logs for scheduled task creation events, excluding known benign tasks and those created by system accounts.