Adversaries may use scheduled tasks in System32 to execute persistence or lateral movement by leveraging trusted execution environments. SOC teams should proactively hunt for this behavior as it indicates potential compromise and unauthorized process execution in critical system directories.
Detection Rule
title: Suspicious Scheduled Task Write to System32 Tasks
id: 80e1f67a-4596-4351-98f5-a9c3efabac95
status: test
description: Detects the creation of tasks from processes executed from suspicious locations
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2021-11-16
modified: 2022-01-12
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1053
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains: '\Windows\System32\Tasks'
Image|contains:
- '\AppData\'
- 'C:\PerfLogs'
- '\Windows\System32\config\systemprofile'
condition: selection
falsepositives:
- Unknown
level: high
imFileEvent
| where TargetFileName contains "\\Windows\\System32\\Tasks" and (TargetFilePath contains "\\AppData\\" or TargetFilePath contains "C:\\PerfLogs" or TargetFilePath contains "\\Windows\\System32\\config\\systemprofile")Scenario: A system administrator schedules a legitimate maintenance task using schtasks.exe from the C:\Windows\System32\tasks directory.
Filter/Exclusion: Exclude tasks created by schtasks.exe when the source path is within C:\Windows\System32\tasks or when the task name contains known administrative task prefixes like Maintenance_, Update_, or Backup_.
Scenario: A legitimate software installation process creates a scheduled task to run a post-installation script, such as from C:\Program Files\MyApp\setup.exe.
Filter/Exclusion: Exclude tasks created by known software installers (e.g., setup.exe, install.exe, msiexec.exe) or when the task is associated with a known legitimate application.
Scenario: A user runs a script or tool like Task Scheduler (via taskschd.msc) to create a task that executes a legitimate system utility, such as DISM.exe or sfc.exe.
Filter/Exclusion: Exclude tasks created via the GUI Task Scheduler or when the executable is a known system utility (e.g., DISM.exe, sfc.exe, taskhost.exe).
Scenario: A legitimate system update or patching tool (e.g., Windows Update, Microsoft Endpoint Manager) schedules a task to run a system cleanup or patching script.
Filter/Exclusion: Exclude tasks created by known patching tools or when the task is associated with a known update mechanism (e.g., wuauclt.exe, mpsvc.exe, msiexec.exe).
Scenario: A developer or DevOps engineer uses PowerShell to create a scheduled task for a CI/CD pipeline, such as using Invoke-Command or Register-ScheduledTask.
**Filter/