Query Details
Scheduled Tasks With Unsigned Binaries
Query
# *Scheduled Tasks with unsigned Binaries* ## Query Information #### MITRE ATT&CK Technique(s) | Technique ID | Title | Link | | --- | --- | --- | | T1053.005 | Scheduled Tasks | https://attack.mitre.org/tactics/TA1053/005/ | | TA0003| Persistence | https://attack.mitre.org/tactics/TA0003/ | | TA0003| Code Signing | https://attack.mitre.org/mitigations/M1045/ | #### Description This rule detects scheduled tasks that execute unsigned binaries. It specifically looks for processes initiated by 'svchost.exe -k netsvcs -p -s Schedule', which is indicative of a scheduled task, and then filters for binaries that are not signed and have low global prevalence. This can help identify malicious code executed via scheduled tasks that attempts to evade detection by using unsigned executables. #### Risk Persistence and Privilege Escalation achieved through Task Scheduler abuse by untrusted or custom executables #### Author <Optional> - **Name: Benjamin Zulliger** - **Github: https://github.com/benscha/KQLAdvancedHunting** - **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/** #### References ## Defender XDR ```KQL //Exclude false postive Filenames here //please be aware that this query will need some whitelisting otherwise you will get a lot of f/p let whitelistedBinaries = dynamic(["Qsync.exe"]); //Exclude false poitive Filehashes here let whitelistedSHA1Hashes = dynamic([ "9bb7c81dfae65eaf6abb743ba5b73451133c2791"]); let scheduled_binaries = DeviceProcessEvents | where InitiatingProcessCommandLine == "svchost.exe -k netsvcs -p -s Schedule" | where not(ProcessCommandLine has_any (whitelistedBinaries)) | where not(SHA1 has_any (whitelistedSHA1Hashes)) | distinct SHA1; let untrusted_binaries = scheduled_binaries | join kind=leftanti (DeviceFileCertificateInfo | summarize max_trusted=max(IsTrusted) by SHA1 | where max_trusted==1) on SHA1; untrusted_binaries | invoke FileProfile(SHA1,1000) | where IsCertificateValid != 1 // Exclude signed binaries | where GlobalPrevalence < 1000 | join (DeviceProcessEvents | where InitiatingProcessCommandLine == "svchost.exe -k netsvcs -p -s Schedule") on SHA1 | summarize arg_max(Timestamp, *) by SHA1 // Give last execution with all details per SHA1 ```
Explanation
This query is designed to detect potentially malicious scheduled tasks on a system by identifying unsigned binaries that are executed through the Task Scheduler. Here's a simplified breakdown of what the query does:
-
Identify Scheduled Tasks: It looks for processes that are started by the command
svchost.exe -k netsvcs -p -s Schedule, which indicates they are scheduled tasks. -
Filter Out Known Safe Binaries: The query excludes certain filenames and file hashes that are known to be safe (whitelisted) to reduce false positives.
-
Find Unsigned Binaries: It identifies binaries that are not signed with a trusted certificate. This is done by checking if the binary's SHA1 hash does not appear in a list of trusted certificates.
-
Check Global Prevalence: The query further filters these binaries to include only those that are not commonly found globally (i.e., they have a low global prevalence), which could indicate they are custom or malicious.
-
Return Recent Executions: Finally, it returns the most recent execution details for each of these suspicious binaries, providing information that can be used for further investigation.
Overall, this query helps in identifying potentially harmful scheduled tasks that use unsigned binaries, which could be a sign of persistence or privilege escalation attempts by malicious actors.
Details
Benjamin Zulliger
Released: October 9, 2025
Tables
Keywords
Operators