Analytics Alerts
Browse the Cortex analytics alert reference.
18 alerts match the current filters. technique: T1053 ✕
Show ATT&CK heatmapA Kubernetes Cronjob was created Informational Cloud
A Kubernetes CronJob was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Scheduled Task/Job: Container Orchestration Job (T1053.007)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Maintain persistence by scheduling deployment of containers configured to execute malicious code.Investigative actions: Check which changes were made to the Kubernetes CronJob.An AWS Lambda Function was created Informational Cloud
An AWS Lambda Function was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002) Persistence (TA0003)ATT&CK techniques: Serverless Execution (T1648) Scheduled Task/Job: Scheduled Task (T1053.005)Required data: AWS Audit LogAttacker's goals: Execute malicious code on AWS using Lambda functions. Maintain persistence on AWS Lambda by creating or invoking Lambda functions.Investigative actions: Identify the Lambda function that was created and analyze its code for any malicious activity.An uncommon lolbin execution by scheduled task Informational 2 variations
A lolbin was executed with uncommon commandline by a scheduled task.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Scheduled Task/Job (T1053)Required data: XDR AgentDetector tags: Scheduled tasks AnalyticsAttacker's goals: Attackers may attempt to gain persistence, privilege escalation or proxy execution on the endpoint using scheduled tasks.Investigative actions: Review the lolbin's command line executed by the schedule task. Investigate the specific scheduled task execution chain. Investigate how the scheduled task was created and the actor who created it.Variations
An uncommon lolbin execution by scheduled task on a sensitive server
Informational overridden
A lolbin was executed with uncommon commandline by a scheduled task. overridden
A rare and commonly-abused lolbin execution by scheduled task
Informational overridden
A commonly abused lolbin was executed with uncommon commandline by a scheduled task. overridden
An unsigned process created scheduled task and performed an injection Medium 1 variation
An unsigned process created scheduled task and performed an injection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 4 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Defense Evasion (TA0005)ATT&CK techniques: Scheduled Task/Job: Scheduled Task (T1053.005) Process Injection (T1055)Required data: XDR AgentDetector tags: Scheduled tasks AnalyticsAttacker's goals: To ensure they have persistence on the system, the threat actor may use scheduled tasks to set persistence, Then, to avoid detection and carry out stealth execution, they may inject a malicious payload into a remote process.Investigative actions: Investigate the injection payload and the injection process. Check if the scheduled task trigger payload is malicious.Variations
Possible an unsigned installer created scheduled task and performed an injection
Low overridden
Possible an unsigned installer created scheduled task and performed an injection. overridden
Interactive at.exe privilege escalation method Low
Detects an interactive AT scheduled task, which may be used as a form of privilege escalation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Privilege Escalation (TA0004)ATT&CK techniques: Scheduled Task/Job (T1053) Scheduled Task/Job: At (T1053.002)Required data: XDR AgentDetector tags: Scheduled tasks AnalyticsAttacker's goals: Attackers may attempt to use the command to gain persistence on the endpoint using recurring tasks.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Rare Scheduled Task RPC activity Informational 3 variations
The endpoint performed abnormal Scheduled Task RPC activity to a remote host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Persistence (TA0003)ATT&CK techniques: Remote Services (T1021) Scheduled Task/Job (T1053)Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)Detector tags: NDR Lateral Movement AnalyticsAttacker's goals: Attackers may attempt to gain persistence or move laterally over the network by executing code on remote hosts using scheduled tasks. The ITaskSchedulerService RPC interface is used to query and manage services on a local or remote host.Investigative actions: Review the action of the created scheduled task on the remote host. Correlate the RPC call from the source host and understand which software initiated it. Verify that this isn't IT activity.Variations
Rare remote task registration and creation via Scheduled Task RPC interface
Medium overridden
The endpoint performed abnormal task registration and creation via Scheduled Task RPC interface to a remote host. overridden
Rare remote task creation via Scheduled Task RPC interface
Medium overridden
The endpoint performed abnormal task registration or creation via Scheduled Task RPC interface to a remote host. overridden
Rare Scheduled Task RPC activity
Low overridden
The endpoint performed abnormal Scheduled Task RPC activity to a remote host. overridden
Rare Scheduled Task RPC activity from a rarely seen host Low
The endpoint performed abnormal Scheduled Task RPC activity to a remote host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Persistence (TA0003)ATT&CK techniques: Remote Services (T1021) Scheduled Task/Job (T1053)Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)Detector tags: NDR Lateral Movement Analytics, NDR Unmanaged Subnet AnalyticsAttacker's goals: Attackers may attempt to gain persistence or move laterally over the network by executing code on remote hosts using scheduled tasks. The ITaskSchedulerService RPC interface is used to create and manage scheduled tasks on a local or remote host.Investigative actions: Review the action of the created scheduled task on the remote host. Correlate the RPC call from the source host and understand which software initiated it. Verify that this isn't IT activity.Rare scheduled task created Informational 4 variations
A new rare scheduled task was created with a rare path and a rare command line.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Scheduled Task/Job (T1053)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Impacket Analytics, Scheduled tasks AnalyticsAttacker's goals: Attackers may attempt to gain persistence on the endpoint using scheduled task.Investigative actions: Review the action of the created scheduled task. Investigate the execution chain of the process creating the scheduled task.Variations
Rare scheduled task created by an injected actor
High overridden
A new rare scheduled task was created by an injected actor with a rare path and a rare command line. overridden
Uncommon remote scheduled task created
Medium overridden
A new uncommon remote scheduled task was created with a rare path and a rare command line. overridden
Uncommon local scheduled task created
Low overridden
A new uncommon local scheduled task was created with a rare path and a rare command line. overridden
Highly rare scheduled task created
Low overridden
A new rare scheduled task was created with an highly rare path and a rare command line. overridden
Rare unsigned process execution by scheduled task Low 3 variations
Rare and unsigned process was executed by a scheduled task.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Scheduled Task/Job (T1053)Required data: XDR AgentDetector tags: Scheduled tasks AnalyticsAttacker's goals: Attackers may attempt to gain persistence on the endpoint using scheduled tasks.Investigative actions: Review the process executed by the schedule task. Investigate the specific scheduled task execution chain.Variations
Uncommon unsigned process execution by scheduled task
Informational overridden
Uncommon and unsigned process was executed by a scheduled task. overridden
Rare unsigned process execution with high integrity level by scheduled task
Medium overridden
Rare and unsigned process was execution with high integrity level by a scheduled task. overridden
Rare unsigned process execution by scheduled task on a sensitive server
Medium overridden
Rare and unsigned process was executed by a scheduled task. overridden
Signed process creates a scheduled task via file access Informational 1 variation
A signed process created a scheduled task via file access. Attackers may create scheduled tasks for execution and to establish persistence.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Persistence (TA0003)ATT&CK techniques: Scheduled Task/Job (T1053)Required data: XDR AgentDetector tags: Scheduled tasks AnalyticsAttacker's goals: An attacker may gain persistence and execute malicious tools via scheduled tasks.Investigative actions: Check the created task file and look for the action triggered by the task.Variations
Signed process running from an untrusted directory creates a scheduled task via file access
Low overridden
A signed process created a scheduled task via file access. Attackers may create scheduled tasks for execution and to establish persistence. overridden
Suspicious container orchestration job Low
A suspicious orchestration job ran with a rare command line.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 10 Minutes
ATT&CK tactics: Execution (TA0002) Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Scheduled Task/Job: Container Orchestration Job (T1053.007)Required data: XDR AgentAttacker's goals: Adversaries may abuse task scheduling functionality provided by container orchestration tools The adversaries do that to schedule deployment of containers configured to execute malicious code.Investigative actions: Investigate The process activities and impact on the relevant container.Suspicious systemd timer activity Low
Suspicious systemd timer activity, which may indicate an attempt to establish persistence.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Scheduled Task/Job: Systemd Timers (T1053.006)Required data: XDR AgentAttacker's goals: An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.Investigative actions: Check the systemd timer file change and try to understand the impact of the systemd timers change.Uncommon AT task-job creation by user Low 2 variations
An unpopular AT task-job was created by a user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Scheduled Task/Job: At (T1053.002)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attackers may use at task-jobs for persistence or executing malicious files.Investigative actions: Check the AT job task for suspicious activity.Variations
Uncommon AT task-job creation by user from a web server process
Medium overridden
A web process used the AT command to create a new AT task-job. overridden
Uncommon AT task-job creation by user from unpopular process
Low overridden
An unpopular process created an AT task-job on the host, which is not popular in the organization. overridden
Uncommon PowerShell commands used to create or alter scheduled task parameters Low
Attackers may create or alter scheduled task parameters to gain higher privileges or persistence on the system.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Scheduled Task/Job: Scheduled Task (T1053.005)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Create a new scheduled task or alter an existing one to gain persistence in the system or to gain higher privileges.Investigative actions: Examine the PowerShell command to identify suspicious scheduled task creation or modification. Inspect the system for suspicious activity that is triggered by a scheduled task.Uncommon local scheduled task creation via schtasks.exe Informational 4 variations
The schtasks.exe command enables creating, deleting, querying, changing, running, and ending scheduled tasks on a local or remote computer. Adversaries may attempt to use the command to gain persistence on this host using scheduled tasks.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Scheduled Task/Job (T1053)Required data: XDR AgentDetector tags: Scheduled tasks AnalyticsAttacker's goals: Attackers may attempt to use the command to gain persistence on the endpoint using scheduled tasks.Investigative actions: Review the process that creates the schedule task. Investigate the specific scheduled task execution chain.Variations
Uncommon local scheduled task creation via schtasks.exe by a remote actor
Informational overridden
The schtasks.exe command enables creating, deleting, querying, changing, running, and ending scheduled tasks on a local or remote computer. Adversaries may attempt to use the command to gain persistence on this host using scheduled tasks. overridden
Uncommon scheduled task created by an unsigned and rare actor via schtasks.exe
Low overridden
The schtasks.exe command enables creating, deleting, querying, changing, running, and ending scheduled tasks on a local or remote computer. Adversaries may attempt to use the command to gain persistence on this host using scheduled tasks. overridden
Uncommon scheduled task created by an unsigned actor via schtasks.exe
Low overridden
The schtasks.exe command enables creating, deleting, querying, changing, running, and ending scheduled tasks on a local or remote computer. Adversaries may attempt to use the command to gain persistence on this host using scheduled tasks. overridden
Uncommon scheduled task created by a signed actor from a rare vendor via schtasks.exe
Low overridden
The schtasks.exe command enables creating, deleting, querying, changing, running, and ending scheduled tasks on a local or remote computer. Adversaries may attempt to use the command to gain persistence on this host using scheduled tasks. overridden
Uncommon remote scheduled task creation Low 1 variation
The schtasks.exe command enables creating, deleting, querying, changing, running, and ending scheduled tasks on a local or remote computer. Adversaries may attempt to use the command to execute programs or persist malware on remote machines.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Scheduled Task/Job (T1053)Required data: XDR AgentDetector tags: Scheduled tasks AnalyticsAttacker's goals: Attackers can attempt to use the command to execute programs or persist malware on remote endpoints.Investigative actions: Investigate the initiator process and whether it should create remote tasks. Investigate the scheduled task execution on the remote machine.Variations
Uncommon remote scheduled task creation by a remote actor via RDP
High overridden
The schtasks.exe command enables creating, deleting, querying, changing, running, and ending scheduled tasks on a local or remote computer. Adversaries may attempt to use the command to execute programs or persist malware on remote machines. overridden
Uncommon signed process execution by scheduled task Informational 3 variations
An uncommon process was executed by a scheduled task.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Scheduled Task/Job (T1053)Required data: XDR AgentDetector tags: Scheduled tasks AnalyticsAttacker's goals: Attackers may attempt to gain persistence, privilege escalation or proxy execution on the endpoint using scheduled tasks.Investigative actions: Review the process executed by the schedule task. Investigate the specific scheduled task execution chain. Check if the vendor is known in the organization for creating scheduled tasks to execute his product.Variations
Uncommon Microsoft signed process execution by scheduled task
Informational overridden
An uncommon process was executed by a scheduled task. overridden
Uncommon signed process execution by scheduled task on a sensitive server
Low overridden
An uncommon process was executed by a scheduled task. overridden
Rare signed process execution by scheduled task
Low overridden
A rare process was executed by a scheduled task. overridden
Unsigned process creates a scheduled task via file access Low 1 variation
A scheduled task was created via file access from an unsigned process. This is uncommon and may indicate malicious activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Persistence (TA0003)ATT&CK techniques: Scheduled Task/Job (T1053)Required data: XDR AgentDetector tags: Scheduled tasks AnalyticsAttacker's goals: Attackers may attempt to gain persistence on the endpoint using scheduled tasks.Investigative actions: Review the process executed by the schedule task. Investigate the specific scheduled task execution chain.Variations
Unsigned process creates a scheduled task via file access on a sensitive server
Medium overridden
A scheduled task was created via file access from an unsigned process. This is uncommon and may indicate malicious activity. overridden