Potentially Suspicious Usage of Win32 ScheduledJob WMI Class

Rule Info

Name
Potentially Suspicious Usage of Win32 ScheduledJob WMI Class
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects potential abuse of the Win32_ScheduledJob WMI class for creating or removing scheduled jobs. This WMI class, which is disabled by default for security reasons, manages AT.exe command-based scheduled jobs. Threat actors can exploit this class to execute malicious code at predetermined times or remove job to evade detection. The use of this WMI class instead of conventional scheduling methods may indicate suspicious activity.
Reference
https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob
Date
2026-01-27 00:00:00
Modified
None
Id
5d214e9a-d61c-4759-a6e2-d7aa5b95c7e7
Tags
attack.persistence attack.execution attack.privilege-escalation attack.t1053.002
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022