
Summary
This analysis identifies and detects the creation of Windows Scheduled Tasks designed to spawn native Windows shells, such as PowerShell, Cmd, Wscript, or Cscript. By monitoring Windows Security Event Code 4698, the detection rule highlights potentially malicious activities that could establish persistence, execute arbitrary commands, or escalate privileges on a system. The rule generates alerts when scheduled tasks are created containing specific shell commands, alerting security teams to investigate further for unauthorized access or malicious intent.
Categories
- Endpoint
- Windows
Data Sources
- Windows Registry
- Application Log
ATT&CK Techniques
- T1053.005
- T1053
Created: 2025-01-27