Skip to content

DET0441 Detection of Suspicious Scheduled Task Creation and Execution on Windows

Item Value
ID DET0441
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1053.005 (Scheduled Task)

Analytics

Windows

AN1221

Detects the creation, modification, or deletion of scheduled tasks through Task Scheduler, WMI, PowerShell, or API-based methods followed by execution from svchost.exe or taskeng.exe. Includes detection of hidden or anomalous scheduled tasks, especially those created under SYSTEM or suspicious user contexts.

Log Sources
Data Component Name Channel
Scheduled Job Creation (DC0001) WinEventLog:Security EventCode=4698
Scheduled Job Modification (DC0012) WinEventLog:Security EventCode=4702
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Windows Registry Key Modification (DC0063) WinEventLog:Sysmon EventCode=13, 14
Mutable Elements
Field Description
TimeWindow Defines threshold for grouping task creation and associated execution within suspicious time proximity.
UserContext Filters based on non-standard user accounts or execution under SYSTEM when not typical for the environment.
TaskNamePattern Allows defenders to flag obfuscated, randomized, or suspicious task names outside normal conventions.
CommandLineEntropyThreshold Flags tasks executing heavily obfuscated PowerShell or binary blobs via base64 or encoding.