AN0943: Analytic 0943
Detects creation of scheduled tasks via `at.exe` or WMI `Win32_ScheduledJob` class, followed by execution of anomalous processes by svchost.exe or taskeng.exe.
Analyst context for executives and security teams
AN0943 is a Windows detection analytic focused on suspicious scheduled job creation using at.exe or the WMI Win32_ScheduledJob class, followed by unusual process execution from svchost.exe or taskeng.exe. For leaders, the practical value is validating whether the organization can see scheduled-job based execution paths that may bypass normal user-driven process patterns and complicate incident timelines.
Executive priority
Prioritize this as a coverage-validation item for Windows monitoring and incident readiness. The business question is not whether this analytic alone proves malicious activity, but whether SOC and IR teams can reconstruct who created a scheduled job, how it was created, and what process later executed. This supports operational resilience, audit evidence, and faster containment decisions when scheduled execution is involved.
Technical view
SOC and detection teams should validate Windows telemetry for creation of scheduled tasks or jobs through at.exe and WMI Win32_ScheduledJob, then correlate that activity with subsequent child or related process execution by svchost.exe or taskeng.exe. Because the ATT&CK object provides no tactic mapping, no relationship context, and no formal detection logic, implementation should be treated as a behavioral correlation analytic rather than a standalone alert rule.
Likely telemetry
- Windows process creation events for at.exe, svchost.exe, taskeng.exe, and anomalous child processes
- Command-line arguments for process creation where available
- WMI activity involving the Win32_ScheduledJob class
- Scheduled job or scheduled task creation records
- Parent-child process relationship data
Detection direction
- Confirm that process creation logging captures command line, parent process, user, and host context on Windows systems.
- Validate visibility into WMI-based scheduled job creation, specifically use of the Win32_ScheduledJob class.
- Correlate scheduled job creation via at.exe or WMI with later execution from svchost.exe or taskeng.exe rather than alerting only on one event in isolation.
- Tune for expected administrative or legacy automation activity to reduce false positives.
- Investigate anomalous processes launched by svchost.exe or taskeng.exe based on rarity, path, signer, user context, timing, and business role of the host.
Mitigation priorities
- Inventory legitimate use of at.exe, WMI scheduled jobs, and scheduled-task automation on Windows systems.
- Restrict or monitor administrative mechanisms that create scheduled jobs where business use is limited.
- Ensure endpoint logging and retention are sufficient to connect job creation with later process execution.
- Use least privilege and administrative access governance to reduce unnecessary ability to create scheduled jobs.
- Create incident response playbooks that preserve scheduled job definitions, process lineage, user context, and relevant host artifacts.
Analyst notes and limits
This object is a detection analytic, not a technique description. It is specific to Windows and describes a correlation between scheduled job creation mechanisms and anomalous execution by svchost.exe or taskeng.exe. No ATT&CK tactics, relationships, aliases, or official detection logic were supplied, so local engineering decisions must define anomaly criteria and correlation windows.
The supplied ATT&CK fields do not include detection pseudocode, data source mappings, tactic mappings, related techniques, mitigations, or evidence of exploitation. Coverage and risk should be assessed against local Windows logging, WMI visibility, scheduled task telemetry, and known administrative automation patterns.
Analytic 0943
Detects creation of scheduled tasks via `at.exe` or WMI `Win32_ScheduledJob` class, followed by execution of anomalous processes by svchost.exe or taskeng.exe.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 4add6a3f4c54… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0943Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.