Rare scheduled task created

Cortex XSIAM Analytics Alert Reference by Alert name
Product
Cortex XSIAM
Last date published
2026-03-01
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent with eXtended Threat Hunting (XTH)

Detection Modules

Detector Tags

Impacket Analytics

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Scheduled Task/Job (T1053)

Severity

Informational

Response playbooks

Variations of this detector that create incidents have an OOTB response playbook included in the Cortex Response and Remediation Pack

Description

A new rare scheduled task was created with a rare path and a rare command line.

Attacker's Goals

Attackers may attempt to gain persistence on the endpoint using scheduled task.

Investigative actions

  • Review the action of the created scheduled task.
  • Investigate the execution chain of the process creating the scheduled task.

Variations

Rare scheduled task created by an injected actor

Synopsis

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Scheduled Task/Job (T1053)

Severity

High

Description

A new rare scheduled task was created by an injected actor with a rare path and a rare command line.

Attacker's Goals

Attackers may attempt to gain persistence on the endpoint using scheduled task.

Investigative actions

  • Review the action of the created scheduled task.
  • Investigate the execution chain of the process creating the scheduled task.


Uncommon remote scheduled task created

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Medium

Response playbooks

Uncommon remote scheduled task created

Description

A new uncommon remote scheduled task was created with a rare path and a rare command line.

Attacker's Goals

Attackers may attempt to gain persistence or perform lateral movement to new hosts to expand the foothold within a network.

Investigative actions

  • Review the action of the created scheduled task.
  • Correlate the RPC call from the source host and understand which software initiated it.


Uncommon local scheduled task created

Synopsis

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Scheduled Task/Job (T1053)

Severity

Low

Description

A new uncommon local scheduled task was created with a rare path and a rare command line.

Attacker's Goals

Attackers may attempt to gain persistence on the endpoint using scheduled task.

Investigative actions

  • Review the action of the created scheduled task.
  • Investigate the execution chain of the process creating the scheduled task.


Highly rare scheduled task created

Synopsis

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Scheduled Task/Job (T1053)

Severity

Low

Description

A new rare scheduled task was created with an highly rare path and a rare command line.

Attacker's Goals

Attackers may attempt to gain persistence on the endpoint using scheduled task.

Investigative actions

  • Review the action of the created scheduled task.
  • Investigate the execution chain of the process creating the scheduled task.