Scheduled Task Created by a Windows Scriptedit

A scheduled task was created by a Windows script via cscript.exe, wscript.exe or powershell.exe. This can be abused by an adversary to establish persistence.

Rule type: eql

Rule indices:

  • winlogbeat-*

Severity: medium

Risk score: 43

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100


  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Persistence

Version: 1

Added (Elastic Stack release): 7.11.0

Rule authors: Elastic

Rule license: Elastic License

Potential false positivesedit

Legitimate scheduled tasks may be created during installation of new software.

Investigation guideedit

Decode the base64 encoded Tasks Actions registry value to investigate the task’s configured action.

Rule queryedit

sequence by with maxspan = 30s [library where :
"taskschd.dll" and : ("cscript.exe", "wscript.exe",
"powershell.exe")] [registry where registry.path :

Threat mappingedit