title: Rare Scheduled Task Creations
id: b20f6158-9438-41be-83da-a5a16ac90c2b
status: test
description: This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names.
author: Florian Roth
date: 2017/03/17
modified: 2021/12/28
logsource:
  product: windows
  service: taskscheduler
detection:
  selection:
    EventID: 106
  filter1:
    TaskName: \Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan
  timeframe: 7d
  condition: selection and not 1 of filter*
falsepositives:
  - Software installation
level: low
tags:
  - attack.persistence
  - attack.s0111
  - attack.t1053.005