drop windows task xml files · parse triggers actions principals · flag suspicious tasks · persistence detection · runs locally
task xml
Drop task XML files
System32\\Tasks\\*.xml · multiple ok
heuristic scoring 0–10 per task · overall risk 0–100 from worst task · encoded PowerShell decoded when detected
log
drop one or more Task Scheduler .xml exports