[metadata]
creation_date = "2025/01/15"
updated_date = "2025/06/01"
maturity = "production"

[rule]
author = ["Test Author"]
description = "Detects the creation of a scheduled task via schtasks.exe, which is commonly used by adversaries for persistence."
name = "Scheduled Task Created via Schtasks"
severity = "medium"
type = "eql"
language = "eql"
query = '''
process where process.name : "schtasks.exe" and
  process.args : ("/create", "-create") and
  process.args : ("/sc", "-sc") and
  not process.parent.executable : ("C:\\Program Files\\*", "C:\\Program Files (x86)\\*")
'''
risk_score = 47
rule_id = "test-elastic-001"
tags = ["Persistence", "Windows"]

[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1053"
name = "Scheduled Task/Job"
reference = "https://attack.mitre.org/techniques/T1053/"
[[rule.threat.technique.subtechnique]]
id = "T1053.005"
name = "Scheduled Task"
reference = "https://attack.mitre.org/techniques/T1053/005/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"