Detects the creation, modification, or deletion of scheduled tasks through Task Scheduler, WMI, PowerShell, or API-based methods followed by execution from svchost.exe or taskeng.exe. Includes detection of hidden or anomalous scheduled tasks, especially those created under SYSTEM or suspicious user contexts.
| Data Component | Name | Channel |
|---|---|---|
| Scheduled Job Creation (DC0001) | WinEventLog:Security | EventCode=4698 |
| Scheduled Job Modification (DC0012) | WinEventLog:Security | EventCode=4702 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Windows Registry Key Modification (DC0063) | WinEventLog:Sysmon | EventCode=13 |
| Field | Description |
|---|---|
| TimeWindow | Defines threshold for grouping task creation and associated execution within suspicious time proximity. |
| UserContext | Filters based on non-standard user accounts or execution under SYSTEM when not typical for the environment. |
| TaskNamePattern | Allows defenders to flag obfuscated, randomized, or suspicious task names outside normal conventions. |
| CommandLineEntropyThreshold | Flags tasks executing heavily obfuscated PowerShell or binary blobs via base64 or encoding. |