AN1221: Analytic 1221

Detects the creation, modification, or deletion of scheduled tasks through Task Scheduler, WMI, PowerShell, or API-based methods followed by execution from svchost.exe or taskeng.exe. Includes detection of hidden or anomalous scheduled tasks, especially those created under SYSTEM or suspicious user contexts.

EnterpriseAN1221AnalyticObject v1.0 Modified Nov 12, 2025, 22:03 UTC (UTC+00:00)

AN1221 is a Windows detection analytic focused on suspicious scheduled task changes and execution. For leaders, this matters because scheduled tasks are a common place where unauthorized or poorly governed automation can persist, run with elevated context, or hide in normal operations. The business value is not just detecting a task being created; it is validating whether the organization can see changes to Windows task scheduling mechanisms and quickly distinguish approved administration from anomalous activity.

Executive priority

Prioritize this analytic where Windows systems support critical business services, privileged administration, or compliance-sensitive workloads. Ask whether SOC and IR teams can prove visibility into scheduled task creation, modification, deletion, hidden tasks, and execution under SYSTEM or unusual user contexts. This is also useful audit evidence for control monitoring: it demonstrates whether changes to automated execution paths are observable and reviewable, rather than relying only on endpoint prevention.

Technical view

Validate Windows telemetry for scheduled task creation, modification, deletion, and subsequent execution from svchost.exe or taskeng.exe. The supplied description explicitly includes Task Scheduler, WMI, PowerShell, and API-based methods, so detection engineering should not rely on only one command-line pattern. Because no official detection logic is provided, teams should build and test local analytics around task lifecycle events, execution parent/process context, hidden or anomalous task attributes, SYSTEM-created tasks, and suspicious user contexts.

Likely telemetry

Windows scheduled task creation, modification, and deletion events
Process execution telemetry for svchost.exe and taskeng.exe
PowerShell activity related to scheduled task management
WMI activity related to scheduled task management
Task Scheduler operational logs or equivalent endpoint telemetry

Detection direction

Confirm collection covers Task Scheduler, WMI, PowerShell, and API-based scheduled task changes, not only interactive administrative tools.
Correlate task lifecycle changes with execution from svchost.exe or taskeng.exe as described by the analytic.
Tune for approved administrative automation, software deployment, backup agents, and maintenance tasks to reduce false positives.
Review tasks created under SYSTEM or unusual user contexts, especially when task names, paths, or visibility appear anomalous.
Because tactics and official detection logic are not supplied, map this analytic to local use cases and test against benign administrative baselines before treating alerts as high confidence.

Mitigation priorities

Establish an inventory and ownership model for authorized Windows scheduled tasks on important systems.
Restrict who can create or modify scheduled tasks, especially tasks running with elevated or SYSTEM context.
Monitor and review changes to scheduled tasks as part of privileged activity oversight and change management.
Ensure incident response playbooks include scheduled task review, task execution context, and removal/containment decision points.
Use the analytic as compliance-supporting evidence only after confirming telemetry retention, alert review, and exception handling are documented.

Analyst notes and limits

This object is a detection analytic, not a technique entry. It is scoped to Windows and describes suspicious scheduled task lifecycle activity followed by execution from svchost.exe or taskeng.exe. Relationship context, tactics, aliases, and official detection logic were not supplied, so the take focuses on validation and operationalization rather than ATT&CK mapping or specific rule syntax.

The official detection field is not provided, and no relationships were supplied. This means there is no MITRE-provided query, data component list, tactic mapping, adversary relationship, or mitigation relationship to rely on here. Local endpoint logging, EDR visibility, administrative baselines, and change-management context are required to determine alert quality and business priority.

Official MITRE ATT&CK definition

Analytic 1221

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Nov 12, 2025, 22:03 UTC (UTC+00:00)
Raw hash: 38ec23db73112379...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Nov 12, 2025, 22:03 UTC (UTC+00:00)	Current bundle	`38ec23db7311…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1221
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use