Techniques
Sample rules
WinEvent Windows Task Scheduler Event Action Started
- source: splunk
- technicques:
- T1053.005
Description
The following analytic detects the execution of tasks registered in Windows Task Scheduler by monitoring EventID 200 (action run) and 201 (action completed) from the Task Scheduler logs. This detection leverages Task Scheduler logs to identify potentially suspicious or unauthorized task executions. Monitoring these events is significant for a SOC as it helps uncover evasive techniques used for persistence, unauthorized code execution, or other malicious activities. If confirmed malicious, this activity could lead to unauthorized access, data exfiltration, or the execution of harmful payloads, posing a significant threat to the environment.
Detection logic
`wineventlog_task_scheduler` EventCode IN ("200","201")
| stats count min(_time) as firstTime max(_time) as lastTime by TaskName dvc EventCode
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `winevent_windows_task_scheduler_event_action_started_filter`