Scheduled Job Creation (f42df6f0-6395-4f0c-9376-525a031f00c3)
The establishment of a task or job that will execute at a predefined time or based on specific triggers.
*Data Collection Measures: *
- Windows Event Logs:
- Event ID 4698 (Scheduled Task Created) – Detects the creation of new scheduled tasks.
- Event ID 4702 (Scheduled Task Updated) – Identifies modifications to existing scheduled jobs.
- Event ID 106 (TaskScheduler Operational Log) – Provides details about scheduled task execution.
- Sysmon (Windows):
- Event ID 1 (Process Creation) – Detects the execution of suspicious tasks started by
schtasks.exe,at.exe, ortaskeng.exe.
- Event ID 1 (Process Creation) – Detects the execution of suspicious tasks started by
- Linux/macOS Monitoring:
- AuditD: Monitor modifications to
/etc/cron*,/var/spool/cron/, andcrontabfiles. - Syslog: Capture cron job execution logs from
/var/log/cron. - OSQuery: Query the
crontabandlaunchdtables for scheduled job configurations.
- AuditD: Monitor modifications to
- Endpoint Detection and Response (EDR) Tools:
- Track scheduled task creation and modification events.
- SIEM & XDR Detection Rules:
- Monitor for scheduled jobs created by unusual users.
- Detect tasks executing scripts from non-standard directories.