rules/windows/lateral_movement_scheduled_task_target.toml

[metadata]
creation_date = "2020/11/20"
integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/12/08"

[rule]
author = ["Elastic"]
description = "Identifies remote scheduled task creations on a target host. This could be indicative of adversary lateral movement."
from = "now-9m"
index = [
    "logs-endpoint.events.registry-*",
    "logs-endpoint.events.network-*",
    "winlogbeat-*",
    "logs-windows.sysmon_operational-*",
    "logs-sentinel_one_cloud_funnel.*",
]
language = "eql"
license = "Elastic License v2"
name = "Remote Scheduled Task Creation"
note = """## Triage and analysis

### Investigating Remote Scheduled Task Creation

[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism for persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries. When investigating scheduled tasks that were set up remotely, one of the first steps should be to determine the original intent behind the configuration and to verify if the activity is tied to benign behavior such as software installation or any kind of network administrator work. One objective for these alerts is to understand the configured action within the scheduled task. This is captured within the registry event data for this rule and can be base64 decoded to view the value.

#### Possible investigation steps

- Review the base64 encoded tasks actions registry value to investigate the task configured action.
- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.
- Further examination should include review of host-based artifacts and network logs from around when the scheduled task was created, on both the source and target machines.

### False positive analysis

- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature within Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to further understand the source of the activity and determine the intent based on the scheduled task's contents.

### Related rules

- Service Command Lateral Movement - d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc
- Remotely Started Services via RPC - aa9a274d-6b53-424d-ac5e-cb8ca4251650

### Response and remediation

- Initiate the incident response process based on the outcome of the triage.
- Isolate the involved host to prevent further post-compromise behavior.
- Remove scheduled task and any other related artifacts.
- Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks.
"""
references = ["https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language"]
risk_score = 47
rule_id = "954ee7c8-5437-49ae-b2d6-2960883898e9"
severity = "medium"
tags = [
    "Domain: Endpoint",
    "OS: Windows",
    "Use Case: Threat Detection",
    "Tactic: Lateral Movement",
    "Resources: Investigation Guide",
    "Data Source: Elastic Defend",
    "Data Source: Sysmon",
    "Data Source: SentinelOne",
]
type = "eql"

query = '''
/* Task Scheduler service incoming connection followed by TaskCache registry modification  */

sequence by host.id, process.entity_id with maxspan = 1m
   [network where host.os.type == "windows" and process.name : "svchost.exe" and
   network.direction : ("incoming", "ingress") and source.port >= 49152 and destination.port >= 49152 and
   source.ip != "127.0.0.1" and source.ip != "::1" and source.ip != null
   ]
   [registry where host.os.type == "windows" and event.type == "change" and registry.value : "Actions" and
    registry.path : "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\\Actions"]
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1021"
name = "Remote Services"
reference = "https://attack.mitre.org/techniques/T1021/"


[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1053"
name = "Scheduled Task/Job"
reference = "https://attack.mitre.org/techniques/T1053/"
[[rule.threat.technique.subtechnique]]
id = "T1053.005"
name = "Scheduled Task"
reference = "https://attack.mitre.org/techniques/T1053/005/"


[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[New Rule] Remote Scheduled Task Creation (#598 ) 2020-12-08 16:40:48 +01:00			`[metadata]`
			`creation_date = "2020/11/20"`
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 16 (#5038 ) 2025-09-01 08:25:52 -07:00			`integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"]`
[New Rule] Remote Scheduled Task Creation (#598 ) 2020-12-08 16:40:48 +01:00			`maturity = "production"`
Update lateral_movement_scheduled_task_target.toml to fix null values (#5228 ) 2025-12-08 07:10:20 -06:00			`updated_date = "2025/12/08"`
[New Rule] Remote Scheduled Task Creation (#598 ) 2020-12-08 16:40:48 +01:00
			`[rule]`
			`author = ["Elastic"]`
[Rule Tuning] Add windows integration index to rules (#923 ) 2021-01-28 20:53:57 -09:00			`description = "Identifies remote scheduled task creations on a target host. This could be indicative of adversary lateral movement."`
[New Rule] Remote Scheduled Task Creation (#598 ) 2020-12-08 16:40:48 +01:00			`from = "now-9m"`
Back-porting Version Trimming (#3704 ) 2024-05-23 00:45:10 +05:30			`index = [`
			`"logs-endpoint.events.registry-*",`
			`"logs-endpoint.events.network-*",`
			`"winlogbeat-*",`
			`"logs-windows.sysmon_operational-*",`
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 16 (#5038 ) 2025-09-01 08:25:52 -07:00			`"logs-sentinel_one_cloud_funnel.*",`
Back-porting Version Trimming (#3704 ) 2024-05-23 00:45:10 +05:30			`]`
[New Rule] Remote Scheduled Task Creation (#598 ) 2020-12-08 16:40:48 +01:00			`language = "eql"`
Update License to Elastic v2 (#944 ) 2021-03-03 22:12:11 -09:00			`license = "Elastic License v2"`
[New Rule] Remote Scheduled Task Creation (#598 ) 2020-12-08 16:40:48 +01:00			`name = "Remote Scheduled Task Creation"`
Cleanup note field in rules (#1194 ) 2021-05-10 13:40:56 -08:00			`note = """## Triage and analysis`

[Security Content] Current Investigation Guides Review (#1896 ) 2022-04-12 22:05:13 -03:00			`### Investigating Remote Scheduled Task Creation`
[rule-tuning] Adding more context with triage/investigation (#1481 ) 2021-09-15 18:07:21 -07:00
[Security Content] Investigation Guides Line breaks refactor (#2454 ) 2023-01-09 08:28:10 -08:00			[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism for persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries. When investigating scheduled tasks that were set up remotely, one of the first steps should be to determine the original intent behind the configuration and to verify if the activity is tied to benign behavior such as software installation or any kind of network administrator work. One objective for these alerts is to understand the configured action within the scheduled task. This is captured within the registry event data for this rule and can be base64 decoded to view the value.
[Security Content] Current Investigation Guides Review (#1896 ) 2022-04-12 22:05:13 -03:00
			`#### Possible investigation steps`
[rule-tuning] Adding more context with triage/investigation (#1481 ) 2021-09-15 18:07:21 -07:00
			`- Review the base64 encoded tasks actions registry value to investigate the task configured action.`
[Security Content] Investigation Guides Line breaks refactor (#2454 ) 2023-01-09 08:28:10 -08:00			`- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.`
			`- Further examination should include review of host-based artifacts and network logs from around when the scheduled task was created, on both the source and target machines.`
[Security Content] Current Investigation Guides Review (#1896 ) 2022-04-12 22:05:13 -03:00
			`### False positive analysis`
[rule-tuning] Adding more context with triage/investigation (#1481 ) 2021-09-15 18:07:21 -07:00
[Security Content] Investigation Guides Line breaks refactor (#2454 ) 2023-01-09 08:28:10 -08:00			`- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature within Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to further understand the source of the activity and determine the intent based on the scheduled task's contents.`
[Security Content] Current Investigation Guides Review (#1896 ) 2022-04-12 22:05:13 -03:00
			`### Related rules`

			`- Service Command Lateral Movement - d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc`
			`- Remotely Started Services via RPC - aa9a274d-6b53-424d-ac5e-cb8ca4251650`

			`### Response and remediation`

			`- Initiate the incident response process based on the outcome of the triage.`
			`- Isolate the involved host to prevent further post-compromise behavior.`
			`- Remove scheduled task and any other related artifacts.`
[Security Content] Investigation Guides Line breaks refactor (#2454 ) 2023-01-09 08:28:10 -08:00			`- Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks.`
min_stack all rules to 8.3 (#2259 ) 2022-08-24 10:38:49 -06:00			`"""`
[Docs \| Rule Tuning] Add blog references to rules (#4097 ) 2024-09-25 15:19:20 -05:00			`references = ["https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language"]`
[New Rule] Remote Scheduled Task Creation (#598 ) 2020-12-08 16:40:48 +01:00			`risk_score = 47`
			`rule_id = "954ee7c8-5437-49ae-b2d6-2960883898e9"`
			`severity = "medium"`
Back-porting Version Trimming (#3704 ) 2024-05-23 00:45:10 +05:30			`tags = [`
			`"Domain: Endpoint",`
			`"OS: Windows",`
			`"Use Case: Threat Detection",`
			`"Tactic: Lateral Movement",`
			`"Resources: Investigation Guide",`
			`"Data Source: Elastic Defend",`
			`"Data Source: Sysmon",`
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 16 (#5038 ) 2025-09-01 08:25:52 -07:00			`"Data Source: SentinelOne",`
Back-porting Version Trimming (#3704 ) 2024-05-23 00:45:10 +05:30			`]`
[New Rule] Remote Scheduled Task Creation (#598 ) 2020-12-08 16:40:48 +01:00			`type = "eql"`

			`query = '''`
			`/* Task Scheduler service incoming connection followed by TaskCache registry modification */`

			`sequence by host.id, process.entity_id with maxspan = 1m`
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 ) 2023-03-05 09:41:19 -09:00			`[network where host.os.type == "windows" and process.name : "svchost.exe" and`
[Rule Tuning] Update network.direction (#1547 ) 2021-10-13 21:46:36 -03:00			`network.direction : ("incoming", "ingress") and source.port >= 49152 and destination.port >= 49152 and`
Update lateral_movement_scheduled_task_target.toml to fix null values (#5228 ) 2025-12-08 07:10:20 -06:00			`source.ip != "127.0.0.1" and source.ip != "::1" and source.ip != null`
[New Rule] Remote Scheduled Task Creation (#598 ) 2020-12-08 16:40:48 +01:00			`]`
[Rule Tuning] Windows Registry Rules Tuning - 1 (#3957 ) 2024-08-06 08:35:17 -03:00			`[registry where host.os.type == "windows" and event.type == "change" and registry.value : "Actions" and`
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 16 (#5038 ) 2025-09-01 08:25:52 -07:00			`registry.path : "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\\\Actions"]`
[New Rule] Remote Scheduled Task Creation (#598 ) 2020-12-08 16:40:48 +01:00			`'''`


			`[[rule.threat]]`
			`framework = "MITRE ATT&CK"`
			`[[rule.threat.technique]]`
			`id = "T1021"`
			`name = "Remote Services"`
			`reference = "https://attack.mitre.org/techniques/T1021/"`


			`[rule.threat.tactic]`
			`id = "TA0008"`
			`name = "Lateral Movement"`
			`reference = "https://attack.mitre.org/tactics/TA0008/"`
			`[[rule.threat]]`
			`framework = "MITRE ATT&CK"`
			`[[rule.threat.technique]]`
			`id = "T1053"`
			`name = "Scheduled Task/Job"`
			`reference = "https://attack.mitre.org/techniques/T1053/"`
[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429 ) 2023-01-04 09:30:07 -05:00			`[[rule.threat.technique.subtechnique]]`
			`id = "T1053.005"`
			`name = "Scheduled Task"`
			`reference = "https://attack.mitre.org/techniques/T1053/005/"`
[New Rule] Remote Scheduled Task Creation (#598 ) 2020-12-08 16:40:48 +01:00
[Rule Tuning] Update threat mappings for Windows rules (#1497 ) 2021-09-23 14:08:38 -03:00
[New Rule] Remote Scheduled Task Creation (#598 ) 2020-12-08 16:40:48 +01:00
			`[rule.threat.tactic]`
			`id = "TA0002"`
			`name = "Execution"`
			`reference = "https://attack.mitre.org/tactics/TA0002/"`
[Rule Tuning] Add windows integration index to rules (#923 ) 2021-01-28 20:53:57 -09:00