Query Details

Detect Unsigned executable launch from scheduled task

Detect Unsigned Exec Launch From Scheduled Task

Query

let scheduled_binaries = (
    DeviceProcessEvents
    | where ActionType !contains "aggregated"
    | where Timestamp > ago(1h)
    | where InitiatingProcessCommandLine == "svchost.exe -k netsvcs -p -s Schedule"
    | distinct SHA1
);
let untrusted_binaries = (
    scheduled_binaries
    | join kind=leftanti (
        DeviceFileCertificateInfo 
        | where Timestamp > ago(1h) 
        | summarize max_trusted=max(IsTrusted) by SHA1 
        | where max_trusted==1
    ) on SHA1
);
untrusted_binaries
| invoke FileProfile(SHA1,1000)
| where IsCertificateValid != 1 // Exclude signed binaries
| where (isnotempty(GlobalPrevalence) and GlobalPrevalence < 1000)
| join (
    DeviceProcessEvents 
    | where ActionType !contains "aggregated"
    | where InitiatingProcessCommandLine == "svchost.exe -k netsvcs -p -s Schedule"
) on SHA1

About this query

Detect Unsigned executable launch from scheduled task

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1053.005Scheduled Task/Job: Scheduled Taskhttps://attack.mitre.org/techniques/T1053/005/

Description

Persistence via Scheduled Tasks is a well-known technique used by adversaries to make sure their malware programs keep running an the compromised device. With this detection rule, you can search for unknown executables being launched from scheduled tasks.

[!WARNING] This detection rule is the base for the detection. You will need to add environment specific finetuning in order to limit the BP detections on legitimate processes

Risk

This detection tries to detect malware being launched from scheduled tasks

Author <Optional>

References

Defender XDR

Explanation

This query is designed to detect potentially malicious activity on a device by identifying unsigned or untrusted executables that are being launched from scheduled tasks. Here's a simplified breakdown of what the query does:

  1. Identify Scheduled Binaries:

    • It looks at device process events to find processes that were initiated by the scheduled task service (svchost.exe -k netsvcs -p -s Schedule).
    • It filters out any aggregated events and focuses on events from the last hour.
    • It collects the SHA1 hashes of these binaries.
  2. Filter Untrusted Binaries:

    • It checks these binaries against a list of trusted certificates.
    • It excludes binaries that have a valid trusted certificate, focusing only on those that are not trusted.
  3. Profile and Filter Further:

    • It profiles these untrusted binaries to check if they are signed.
    • It excludes any binaries that are signed.
    • It further filters to include only those binaries that are not widely prevalent globally (less than 1000 occurrences).
  4. Join with Process Events:

    • It joins the filtered list of untrusted and unsigned binaries with the original process events to provide context on when and how these binaries were executed.

Overall, this query helps in identifying potentially malicious executables that are being run via scheduled tasks, which is a common persistence technique used by attackers. It requires further tuning to reduce false positives from legitimate processes.

Details

Robbe Van den Daele profile picture

Robbe Van den Daele

Released: January 12, 2026

Tables

DeviceProcessEventsDeviceFileCertificateInfo

Keywords

DeviceProcessEventsFileCertificateInfoProfileSHA1TimestampActionTypeInitiatingCommandLineGlobalPrevalence

Operators

let|!contains>==distinctjoinkind=leftantisummarizebyoninvoke!=isnotemptyand<

MITRE Techniques

Actions

GitHub