```yaml title: Remote Scheduled Task Creation via WinRM id: edr-win-persist-winrm-schtask status: stable description: > Detects process creation events where an unverified WinRM-related parent process (wsmprovhost.exe, winrshost.exe) spawns schtasks.exe with command-line arguments indicating remote scheduled task creation. This is a common persistence pattern observed during lateral movement via PowerShell Remoting or Evil-WinRM. references: - https://attack.mitre.org/techniques/T1021/006/ - https://attack.mitre.org/techniques/T1053/005/ author: ShroudCloud date: 2026/04/16 tags: - attack.persistence - attack.lateral_movement - attack.t1053.005 - attack.t1021.006 logsource: category: process_creation product: windows detection: parent_filter: ParentCodeSignature|notin: - 'valid' - 'verified' ParentImage|endswith: - '\wsmprovhost.exe' - '\winrshost.exe' ParentOriginalFileName|endswith: - 'Host process for WinRM plug-ins' - "Host Process for WinRM's Remote Shell plugin" parent_exclusion: ParentImage|endswith: - '\msiexec.exe' - '\svchost.exe' remote_schtasks: Image|endswith: '\schtasks.exe' CommandLine|contains: - 'create' - 'run' - 'query' condition: (parent_filter and not parent_exclusion) and remote_schtasks falsepositives: - Legitimate administrative use of WinRM to create scheduled tasks (baseline by source host and admin account) level: high ```