Detect Unsigned executable launch from scheduled task
Detect Unsigned Exec Launch From Scheduled Task
Query
let scheduled_binaries = (
DeviceProcessEvents
| where ActionType !contains "aggregated"
| where Timestamp > ago(1h)
| where InitiatingProcessCommandLine == "svchost.exe -k netsvcs -p -s Schedule"
| distinct SHA1
);
let untrusted_binaries = (
scheduled_binaries
| join kind=leftanti (
DeviceFileCertificateInfo
| where Timestamp > ago(1h)
| summarize max_trusted=max(IsTrusted) by SHA1
| where max_trusted==1
) on SHA1
);
untrusted_binaries
| invoke FileProfile(SHA1,1000)
| where IsCertificateValid != 1 // Exclude signed binaries
| where (isnotempty(GlobalPrevalence) and GlobalPrevalence < 1000)
| join (
DeviceProcessEvents
| where ActionType !contains "aggregated"
| where InitiatingProcessCommandLine == "svchost.exe -k netsvcs -p -s Schedule"
) on SHA1About this query
Detect Unsigned executable launch from scheduled task
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1053.005 | Scheduled Task/Job: Scheduled Task | https://attack.mitre.org/techniques/T1053/005/ |
Description
Persistence via Scheduled Tasks is a well-known technique used by adversaries to make sure their malware programs keep running an the compromised device. With this detection rule, you can search for unknown executables being launched from scheduled tasks.
[!WARNING] This detection rule is the base for the detection. You will need to add environment specific finetuning in order to limit the BP detections on legitimate processes
Risk
This detection tries to detect malware being launched from scheduled tasks
Author <Optional>
- Name: Robbe Van den Daele
- Github: https://github.com/RobbeVandenDaele
- Twitter: https://x.com/RobbeVdDaele
- LinkedIn: https://www.linkedin.com/in/robbe-van-den-daele-677986190/
- Website: https://hybridbrothers.com/
References
Defender XDR
Explanation
This query is designed to detect potentially malicious activity on a device by identifying unsigned or untrusted executables that are being launched from scheduled tasks. Here's a simplified breakdown of what the query does:
-
Identify Scheduled Binaries:
- It looks at device process events to find processes that were initiated by the scheduled task service (
svchost.exe -k netsvcs -p -s Schedule). - It filters out any aggregated events and focuses on events from the last hour.
- It collects the SHA1 hashes of these binaries.
- It looks at device process events to find processes that were initiated by the scheduled task service (
-
Filter Untrusted Binaries:
- It checks these binaries against a list of trusted certificates.
- It excludes binaries that have a valid trusted certificate, focusing only on those that are not trusted.
-
Profile and Filter Further:
- It profiles these untrusted binaries to check if they are signed.
- It excludes any binaries that are signed.
- It further filters to include only those binaries that are not widely prevalent globally (less than 1000 occurrences).
-
Join with Process Events:
- It joins the filtered list of untrusted and unsigned binaries with the original process events to provide context on when and how these binaries were executed.
Overall, this query helps in identifying potentially malicious executables that are being run via scheduled tasks, which is a common persistence technique used by attackers. It requires further tuning to reduce false positives from legitimate processes.
Details

Robbe Van den Daele
Released: January 12, 2026
Tables
Keywords
Operators