Tag

Scheduled_task

4 briefs RSS

TelemetryController Scheduled Task Hijack for Persistence

The rule detects the hijack of the Microsoft Compatibility Appraiser scheduled task to establish persistence with system integrity level, by monitoring CompatTelRunner.exe process execution and detecting unexpected child processes.

Microsoft Compatibility Appraiser +3 persistence scheduled_task telemetry windows

2r 1t May 12, 2026

low advisory

Suspicious Image Load (taskschd.dll) from MS Office

2 rules 2 TTPs

Detection of taskschd.dll image loads from Microsoft Office applications indicates potential COM-based scheduled task creation for persistence, bypassing traditional schtasks.exe usage.

Word +4 persistence execution windows image_load scheduled_task

2r 2t Jan 3, 2024

low advisory

Suspicious Local Scheduled Task Creation

2 rules 1 TTP

This rule detects the creation of scheduled tasks on Windows systems by non-system accounts, a common technique used by adversaries for persistence, lateral movement, and privilege escalation.

Elastic Defend persistence windows scheduled_task attack.persistence

2r 1t Jan 2, 2024

medium advisory

Detecting Suspicious Scheduled Task Creation in Windows

2 rules 1 TTP

This rule detects the creation of scheduled tasks in Windows using event logs, which adversaries may use for persistence, lateral movement, or privilege escalation by creating malicious tasks.

Windows Security Event Logs +8 persistence scheduled_task windows

2r 1t Jan 2, 2024