KQL Search

Query Details

HomeAI ToolsDevice Query

Detect Unsigned Exec Launch From Scheduled Task

Query

# *Detect Unsigned executable launch from scheduled task*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1053.005 | Scheduled Task/Job: Scheduled Task | https://attack.mitre.org/techniques/T1053/005/ |

#### Description
Persistence via Scheduled Tasks is a well-known technique used by adversaries to make sure their malware programs keep running an the compromised device. With this detection rule, you can search for unknown executables being launched from scheduled tasks.

> [!WARNING]
> This detection rule is the base for the detection. You will need to add environment specific finetuning in order to limit the BP detections on legitimate processes

#### Risk
This detection tries to detect malware being launched from scheduled tasks

#### Author <Optional>
- **Name:** Robbe Van den Daele
- **Github:** https://github.com/RobbeVandenDaele
- **Twitter:** https://x.com/RobbeVdDaele
- **LinkedIn:** https://www.linkedin.com/in/robbe-van-den-daele-677986190/
- **Website:** https://hybridbrothers.com/

#### References
- https://thecollective.eu/

## Defender XDR
```KQL
let scheduled_binaries = (
    DeviceProcessEvents
    | where ActionType !contains "aggregated"
    | where Timestamp > ago(1h)
    | where InitiatingProcessCommandLine == "svchost.exe -k netsvcs -p -s Schedule"
    | distinct SHA1
);
let untrusted_binaries = (
    scheduled_binaries
    | join kind=leftanti (
        DeviceFileCertificateInfo 
        | where Timestamp > ago(1h) 
        | summarize max_trusted=max(IsTrusted) by SHA1 
        | where max_trusted==1
    ) on SHA1
);
untrusted_binaries
| invoke FileProfile(SHA1,1000)
| where IsCertificateValid != 1 // Exclude signed binaries
| where (isnotempty(GlobalPrevalence) and GlobalPrevalence < 1000)
| join (
    DeviceProcessEvents 
    | where ActionType !contains "aggregated"
    | where InitiatingProcessCommandLine == "svchost.exe -k netsvcs -p -s Schedule"
) on SHA1
```

Explanation

This query is designed to detect potentially malicious activity on a device by identifying unsigned or untrusted executables that are being launched from scheduled tasks. Here's a simplified breakdown of what the query does:

  1. Identify Scheduled Binaries:

    • It looks at device process events to find processes that were initiated by the scheduled task service (svchost.exe -k netsvcs -p -s Schedule).
    • It filters out any aggregated events and focuses on events from the last hour.
    • It collects the SHA1 hashes of these binaries.

  2. Filter Untrusted Binaries:

    • It checks these binaries against a list of trusted certificates.
    • It excludes binaries that have a valid trusted certificate, focusing only on those that are not trusted.

  3. Profile and Filter Further:

    • It profiles these untrusted binaries to check if they are signed.
    • It excludes any binaries that are signed.
    • It further filters to include only those binaries that are not widely prevalent globally (less than 1000 occurrences).

  4. Join with Process Events:

    • It joins the filtered list of untrusted and unsigned binaries with the original process events to provide context on when and how these binaries were executed.

Overall, this query helps in identifying potentially malicious executables that are being run via scheduled tasks, which is a common persistence technique used by attackers. It requires further tuning to reduce false positives from legitimate processes.

Details

Robbe Van den Daele profile picture

Robbe Van den Daele

Released: January 12, 2026

Tables

DeviceProcessEventsDeviceFileCertificateInfo

Keywords

DeviceProcessEventsDeviceFileCertificateInfoFileProfileSHA1TimestampActionTypeInitiatingProcessCommandLineGlobalPrevalence

Operators

let|!contains>==distinctjoinkind=leftantisummarizebyoninvoke!=isnotemptyand<

Actions