Query Details
Scheduled Tasks From App Data Created Or Updated
Query
# Scheduled Tasks from AppData Created or Updated
## Query Information
#### MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
| --- | --- | --- |
| T1053.005 | Scheduled Task/Job: Scheduled Task | https://attack.mitre.org/techniques/T1053/005/ |
#### Description
This query detects scheduled tasks that are created or updated with executables or scripts located in the `AppData` directory (including `%localappdata%` and `%appdata%`). This is a common technique used by malware and attackers to persist on a system without requiring administrative privileges. OneDrive-related tasks are excluded as a known false positive.
#### Risk
Scheduled tasks pointing to AppData directories are a strong indicator of persistence mechanisms used by malware. Since AppData is user-writable, attackers can plant payloads and schedule them for execution without needing elevated privileges.
#### References
- https://www.thedfirspot.com/post/evil-on-schedule-investigating-malicious-windows-tasks
## Defender XDR
```KQL
let Filters = dynamic(['AppData', '%localappdata%', '%appdata%']);
let Exclusions = dynamic([@'\\Microsoft\\OneDrive\\OneDriveStandaloneUpdater.exe', 'OneDriveLauncher.exe']);
DeviceEvents
| where ActionType in ('ScheduledTaskCreated', 'ScheduledTaskUpdated')
| where AdditionalFields has_any (Filters)
| extend ParsedAdditionalFields = parse_json(AdditionalFields)
| extend ScheduledTaskName = ParsedAdditionalFields.TaskName, Details = parse_json(ParsedAdditionalFields.TaskContent)
| where not(Details has_any (Exclusions))
| project-reorder Timestamp, DeviceName, ActionType, InitiatingProcessAccountUpn, ScheduledTaskName, Details
```
## Sentinel
```KQL
let Filters = dynamic(['AppData', '%localappdata%', '%appdata%']);
let Exclusions = dynamic([@'\\Microsoft\\OneDrive\\OneDriveStandaloneUpdater.exe', 'OneDriveLauncher.exe']);
DeviceEvents
| where ActionType in ('ScheduledTaskCreated', 'ScheduledTaskUpdated')
| where AdditionalFields has_any (Filters)
| extend ParsedAdditionalFields = parse_json(AdditionalFields)
| extend ScheduledTaskName = ParsedAdditionalFields.TaskName, Details = parse_json(ParsedAdditionalFields.TaskContent)
| where not(Details has_any (Exclusions))
| project-reorder TimeGenerated, DeviceName, ActionType, InitiatingProcessAccountUpn, ScheduledTaskName, Details
```Explanation
This query is designed to identify scheduled tasks on a system that have been created or updated with executables or scripts located in the AppData directory. This directory is often used by attackers to maintain persistence on a system without needing administrative privileges. The query specifically looks for tasks that are not related to OneDrive, as these are known to be false positives.
Here's a breakdown of what the query does:
-
Filters and Exclusions: It sets up filters to look for tasks associated with the
AppDatadirectory and excludes known benign tasks related to OneDrive. -
Data Source: It examines device events, specifically those indicating the creation or update of scheduled tasks.
-
Task Details: It extracts and parses additional fields to get the task name and content details.
-
Exclusion of False Positives: It ensures that tasks related to OneDrive are not included in the results.
-
Output: The query outputs relevant information such as the timestamp, device name, action type, user account, task name, and task details.
Overall, this query helps in detecting potential malicious activities by identifying suspicious scheduled tasks that could indicate malware persistence.
Details
Bert-Jan Pals
Released: March 7, 2026
Tables
Keywords
Operators