A scheduled task was created by a Windows script via cscript.exe, wscript.exe or powershell.exe. This can be abused by an adversary to establish persistence.
Rule type: eql
Risk score: 43
Runs every: 5 minutes
Maximum alerts per execution: 100
- Threat Detection
Added (Elastic Stack release): 7.11.0
Rule authors: Elastic
Rule license: Elastic License
Legitimate scheduled tasks may be created during installation of new software.
Decode the base64 encoded Tasks Actions registry value to investigate the task’s configured action.
sequence by host.id with maxspan = 30s [library where file.name : "taskschd.dll" and process.name : ("cscript.exe", "wscript.exe", "powershell.exe")] [registry where registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\\Actions"]