Unusual Scheduled Task Update

Last updated a month ago on 2025-05-09

Created 3 years ago on 2022-08-29

About

Identifies first-time modifications to scheduled tasks by user accounts, excluding system activity and machine accounts.

Tags

Domain: EndpointOS: WindowsUse Case: Threat DetectionTactic: PersistenceData Source: Windows Security Event LogsLanguage: kuery

Severity

low

Risk Score

MITRE ATT&CK™

Persistence (TA0003)(opens in a new tab or window)

↳ Scheduled Task/Job (T1053)(opens in a new tab or window)

False Positive Examples

Legitimate scheduled tasks may be created during installation of new software.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type

New Terms Rule

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

logs-system.security*logs-windows.forwarded*winlogbeat-*

Related Integrations

system(opens in a new tab or window)

windows(opens in a new tab or window)

Query

event.category: "iam" and event.code: "4702" and
  not winlog.event_data.SubjectUserSid: ("S-1-5-18" or "S-1-5-19" or "S-1-5-20") and
  not user.name : *$

Install detection rules in Elastic Security

Detect Unusual Scheduled Task Update in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).