
Summary
This rule detects the use of the Win32_ScheduledJob WMI class via PowerShell, specifically targeting PowerShell Script Block Logging (Event Code 4104). The Win32_ScheduledJob class is responsible for managing scheduled tasks and poses a threat if enabled by an attacker, as it could allow them to establish persistence within the environment. The detection mechanism analyzes PowerShell script blocks for any references to 'win32_scheduledjob', effectively identifying potentially malicious activities such as unauthorized task creation. Proper logging configurations must be in place for this analytic to function, as script block logging is not enabled by default. Additionally, organizations should be aware of potential false positives that may arise from legacy applications utilizing this WMI class for legitimate purposes.
Categories
- Endpoint
Data Sources
- Pod
- Script
ATT&CK Techniques
- T1059.001
- T1059
Created: 2024-11-13