WinEvent Windows Task Scheduler Event Action Started

Author: Michael Haag, Splunk
Source: upstream

The following analytic detects the execution of tasks registered in Windows Task Scheduler by monitoring EventID 200 (action run) and 201 (action completed) from the Task Scheduler logs. This detection leverages Task Scheduler logs to identify potentially suspicious or unauthorized task executions. Monitoring these events is significant for a SOC as it helps uncover evasive techniques used for persistence, unauthorized code execution, or other malicious activities. If confirmed malicious, this activity could lead to unauthorized access, data exfiltration, or the execution of harmful payloads, posing a significant threat to the environment.

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1053.005` Scheduled Task/Job: Scheduled Task
Persistence	`T1053.005` Scheduled Task/Job: Scheduled Task
Privilege Escalation	`T1053.005` Scheduled Task/Job: Scheduled Task

Event coverage

Provider	Event ID	Title
TaskScheduler	200	Task Scheduler launched action "TaskName" in instance "ActionName" of task "Name".
TaskScheduler	201	Task Scheduler successfully completed task "Name" , instance "TaskInstanceId" , action "TaskName" .

Stages and Predicates

Stage 1: `search`

search EventCode IN ("200", "201")

Stage 2: `stats`

stats BY TaskName, dvc, EventCode

Stage 3: `search`

search

Stage 4: `search`

search

Stage 5: `search`

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`EventCode`	in	`"200"` `"201"`

WinEvent Windows Task Scheduler Event Action Started

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: search

Stage 2: stats

Stage 3: search