Office process creates a scheduled task via file access

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-10-08
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Detector Tags

ATT&CK Tactic

ATT&CK Technique

Scheduled Task/Job (T1053)

Severity

Medium

Description

A Microsoft Office process created a scheduled task via file access. Attackers may create scheduled tasks for execution and to establish persistence.

Attacker's Goals

An attacker may gain persistence and execute malicious tools via scheduled tasks.

Investigative actions

Check the created task file and look for the action triggered by the task.