We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Behavior:Win32/SchtaskCreateByFriendly.A
Aliases: No associated aliases
Summary
Behavior:Win32/SchtaskCreateByFriendly.A is a behavioral signature identifying malicious behavior associated with the creation of scheduled tasks. The detection of this threat will not indicate the existence of malicious software. Instead, this detection indicates a technique being used by a range of threats to establish persistence on the targeted Windows device. By creating a scheduled task, malware can ensure it runs on Windows startup, on logon, or at a preferred time, thereby ensuring it will continue to operate on the targeted devices. This technique is taken advantage of by more sophisticated threats, such as QakBot (also known as QBot) banking Trojan and human-operated ransomware, such as Ryuk, to maintain existing access over long periods.
- Unplug the ethernet cable or deactivate Wi-Fi to prevent the malware from communicating with its C2 servers and exfiltrating your data.
- Use the System Configuration tool (msconfig) or your task manager's startup tab to examine all applications set to launch at system boot. Disable any entries that are unrecognized or non-essential.
- Search common malware drops locations, including %AppData%, %Temp%, and C:\Users\Public\, for recently created or modified files. Permanently delete any unidentified or suspicious binaries, scripts, or DLLs you discover.
- Open the Windows Task Scheduler and review all listed tasks. Delete any tasks with suspicious names, triggers, or actions
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
