Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
6 Hours |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
High |
Description
The schtasks.exe command enables creating, deleting, querying, changing, running, and ending scheduled tasks on a local or remote computer. Adversaries may attempt to use the command to execute programs or persist malware on remote machines.
Attacker's Goals
Attackers can attempt to use the command to execute programs or persist malware on remote endpoints.
Investigative actions
- Investigate the initiator process and whether it should create remote tasks.
- Investigate the scheduled task execution on the remote machine.