while it is possible for legitimate scripts or administrators to trigger this behavior, filtering can be applied based on the parent process and application to reduce false positives. analysts should reference the provided references to understand the context and threat landscape associated with this activity.

Techniques

T1053.005

Sample rules

Scheduled Task Deleted Or Created via CMD

source: splunk
technicques:
- T1053.005

Description

The following analytic detects the creation or deletion of scheduled tasks via schtasks.exe when invoked with create or delete flags, specifically focusing on those executions where the process includes additional parameters such as /tr, /sc, or /ru. The detection uses Endpoint Detection and Response (EDR) telemetry mapped to the Endpoint data model, and filters out events originating from trusted system paths like C:\Windows\System32 or C:\Program Files. It further narrows results to cases where schtasks.exe is launched by potentially suspicious parent processes such as cmd.exe, wscript.exe, or cscript.exe, and excludes service accounts. This behavior may indicate adversary efforts to gain persistence or evade detection by manipulating scheduled tasks using scripts or command shells. If confirmed malicious, such activity could lead to unauthorized code execution or the removal of monitoring mechanisms on endpoints.

Detection logic


| tstats `security_content_summariesonly`
    count
    min(_time) as firstTime
    max(_time) as lastTime
FROM datamodel=Endpoint.Processes WHERE

Processes.parent_process_name="cmd.exe"
Processes.process_name="schtasks.exe"
Processes.process IN (
    "*/create*",
    "*-create*",
    "*/delete*",
    "*-delete*"
)
NOT Processes.process IN (
    "* \"C:\\Program Files (x86)\\*",
    "* \"C:\\Program Files\\*",
    "* \"C:\\Windows\\System32\\*",
    "* \"C:\\Windows\\SysWOW64\\*",
    "* C:\\Program Files (x86)\\*",
    "* C:\\Program Files\\*",
    "* C:\\Windows\\System32\\*",
    "* C:\\Windows\\SysWOW64\\*"
)
NOT Processes.user="*$"

BY Processes.action Processes.dest Processes.original_file_name
   Processes.parent_process Processes.parent_process_exec
   Processes.parent_process_guid Processes.parent_process_id
   Processes.parent_process_name Processes.parent_process_path
   Processes.process Processes.process_exec Processes.process_guid
   Processes.process_hash Processes.process_id Processes.process_integrity_level
   Processes.process_name Processes.process_path Processes.user
   Processes.user_id Processes.vendor_product


| `drop_dm_object_name(Processes)`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `scheduled_task_deleted_or_created_via_cmd_filter`