Unsigned process creates a scheduled task via file access

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-04
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

6 Hours

Required Data

  • Requires:
    • XDR Agent

Detection Modules

ATT&CK Tactic

ATT&CK Technique

Scheduled Task/Job (T1053)

Severity

Low

Description

A scheduled task was created via file access from an unsigned process. This is uncommon and may indicate malicious activity.

Attacker's Goals

Attackers may attempt to gain persistence on the endpoint using scheduled tasks.

Investigative actions

  • Review the process executed by the schedule task.
  • Investigate the specific scheduled task execution chain.

Variations

Unsigned process creates a scheduled task via file access on a sensitive server

Synopsis

ATT&CK Tactic

ATT&CK Technique

Scheduled Task/Job (T1053)

Severity

Medium

Description

A scheduled task was created via file access from an unsigned process. This is uncommon and may indicate malicious activity.

Attacker's Goals

Attackers may attempt to gain persistence on the endpoint using scheduled tasks.

Investigative actions

  • Review the process executed by the schedule task.
  • Investigate the specific scheduled task execution chain.