scheduled task creation | SOC Hunt Feed

Hunt Hypothesis

Adversaries may create scheduled tasks to establish persistence and execute malicious payloads under the guise of legitimate system maintenance. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential long-term access and covert execution mechanisms.

KQL Query

DeviceEvents 
| where ActionType == "ScheduledTaskCreated"
  and InitiatingProcessAccountSid != "S-1-5-18"

Analytic Rule Definition

id: 34208765-264e-4abe-805b-f645925fbadb
name: scheduled task creation
description: |
  Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_schtask_creation.yml.
  Questions via Twitter: @janvonkirchheim.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceEvents
query: |
  DeviceEvents 
  | where ActionType == "ScheduledTaskCreated"
    and InitiatingProcessAccountSid != "S-1-5-18"

Required Data Sources

Sentinel Table	Notes
`DeviceEvents`	Ensure this data connector is enabled

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Persistence/scheduled task creation.yaml)

False Positive Guidance

Scenario: Legitimate Scheduled Task for System Maintenance
Description: A system administrator creates a scheduled task to run a maintenance script (e.g., DISM, sfc /scannow, or PowerShell script) during off-peak hours.
Filter/Exclusion: process.name: "sfc.exe" OR process.name: "DISM.exe" OR process.name: "powershell.exe" AND process.args: "maintenance" OR process.args: "scannow"
Scenario: User-Initiated Task Scheduler Job
Description: A user schedules a personal task (e.g., backup script, report generation) using the Task Scheduler GUI.
Filter/Exclusion: process.name: "schtasks.exe" AND process.args: "/create" AND user.name: "RegularUser" AND process.args: "backup" OR "report"
Scenario: Automated Patch Management Task
Description: A patch management tool (e.g., Microsoft Endpoint Configuration Manager, SCCM, or WSUS) creates a scheduled task to apply updates.
Filter/Exclusion: process.name: "schtasks.exe" AND process.args: "/create" AND process.args: "patch" OR "update" AND process.parent: "msiexec.exe" OR "wmic.exe"
Scenario: Scheduled Job for Log Rotation or Monitoring
Description: A system or application (e.g., logrotate, ELK stack, or Splunk) creates a scheduled task to rotate or monitor logs.
Filter/Exclusion: process.name: "schtasks.exe" AND process.args: "/create" AND process.args: "logrotate" OR "monitor" AND process.parent: "logrotate.exe" OR "splunk.exe"
Scenario: Scheduled Task for Third-Party Application