Uncommon signed process execution by scheduled task

Cortex XDR Analytics Alert Reference by Alert name
Product
Cortex XDR
Last date published
2026-03-10
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Detector Tags

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Scheduled Task/Job (T1053)

Severity

Informational

Description

An uncommon process was executed by a scheduled task.

Attacker's Goals

Attackers may attempt to gain persistence, privilege escalation or proxy execution on the endpoint using scheduled tasks.

Investigative actions

  • Review the process executed by the schedule task.
  • Investigate the specific scheduled task execution chain.
  • Check if the vendor is known in the organization for creating scheduled tasks to execute his product.

Variations

Uncommon Microsoft signed process execution by scheduled task

Synopsis

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Scheduled Task/Job (T1053)

Severity

Informational

Description

An uncommon process was executed by a scheduled task.

Attacker's Goals

Attackers may attempt to gain persistence, privilege escalation or proxy execution on the endpoint using scheduled tasks.

Investigative actions

  • Review the process executed by the schedule task.
  • Investigate the specific scheduled task execution chain.
  • Check if the vendor is known in the organization for creating scheduled tasks to execute his product.


Uncommon signed process execution by scheduled task on a sensitive server

Synopsis

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Scheduled Task/Job (T1053)

Severity

Low

Description

An uncommon process was executed by a scheduled task.

Attacker's Goals

Attackers may attempt to gain persistence, privilege escalation or proxy execution on the endpoint using scheduled tasks.

Investigative actions

  • Review the process executed by the schedule task.
  • Investigate the specific scheduled task execution chain.
  • Check if the vendor is known in the organization for creating scheduled tasks to execute his product.


Rare signed process execution by scheduled task

Synopsis

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Scheduled Task/Job (T1053)

Severity

Low

Description

A rare process was executed by a scheduled task.

Attacker's Goals

Attackers may attempt to gain persistence, privilege escalation or proxy execution on the endpoint using scheduled tasks.

Investigative actions

  • Review the process executed by the schedule task.
  • Investigate the specific scheduled task execution chain.
  • Check if the vendor is known in the organization for creating scheduled tasks to execute his product.