title: Scheduled Task Creation status: experimental description: Detects the creation of scheduled tasks in user session author: Florian Roth logsource: product: windows service: sysmon detection: selection: EventID: 1 Image: '*\schtasks.exe' CommandLine: '* /create *' filter: User: 'NT AUTHORITY\SYSTEM' condition: selection and not filter fields: - CommandLine - ParentCommandLine falsepositives: - Administrative activity - Software installation level: low