We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Behavior:Win32/Schtasks.A
Aliases: No associated aliases
Summary
This is a detection for suspicious scheduled tasks. These scheduled tasks use legitimate Windows executables, also referred to as living-off-the-land binaries (LOLBins). Malicious scheduled task creation indicates that a threat actor is already present in a network and requires thorough investigation and response.
Read the following blogs for details:
- Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials
- New TTPs observed in Mint Sandstorm campaign targeting high-profile individuals at universities and research orgs
- Defending new vectors: Threat actors attempt SQL Server to cloud lateral movement
Apply these mitigations to reduce the impact of this threat.
- Restrict the use of the schtasks.exe utility by only allowing privileged users to use it. This can prevent unauthorized users from creating or modifying scheduled tasks.
- Monitor the creation and modification of scheduled tasks to help detect possible malicious activity.
- Control what scripts can be run by the system user to help prevent possible malicious scripts from gaining elevated privileges.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
