Detecting Malicious Scheduled Tasks with Sysmon — API Reference

Relevant Event IDs

Event ID	Source	Description
1	Sysmon	Process Create — captures schtasks.exe with full command line
11	Sysmon	File Create — task XML written to System32\Tasks
12/13	Sysmon	Registry Create/Set — task registry modifications
4698	Security	Scheduled task registered (includes task XML content)
4702	Security	Scheduled task updated
4699	Security	Scheduled task deleted

schtasks.exe Suspicious Flags

Flag	Description	Detection Value
`/create`	Create new task	Baseline detection
`/s <host>`	Remote system target	Lateral movement indicator
`/ru SYSTEM`	Run as SYSTEM	Privilege escalation
`/sc onstart`	Run at system boot	Persistence
`/tr "powershell -enc"`	Encoded PowerShell payload	Obfuscation
`/tn \Microsoft\Windows\*`	Masquerade as Microsoft task	Evasion

Splunk Detection Queries

index=sysmon EventCode=1 Image="*\\schtasks.exe" CommandLine="*/create*"
| eval suspicious=if(match(CommandLine,"(?i)(\\\\users\\\\public|\\\\temp\\\\|\\-enc)"),"YES","NO")
| where suspicious="YES"

index=wineventlog EventCode=4698
| spath input=TaskContent
| search Command="*powershell*" OR Command="*cmd.exe*"

Sysmon Configuration (Task Monitoring)

<RuleGroup groupRelation="or">
  <ProcessCreate onmatch="include">
    <Image condition="end with">schtasks.exe</Image>
    <Image condition="end with">at.exe</Image>
  </ProcessCreate>
  <FileCreate onmatch="include">
    <TargetFilename condition="contains">\Windows\System32\Tasks\</TargetFilename>
  </FileCreate>
</RuleGroup>

MITRE ATT&CK

Technique	ID	Description
Scheduled Task/Job	T1053.005	Create/modify scheduled tasks for persistence
Lateral Movement	T1021	Remote task creation via schtasks /s

2.3 KiB Raw Blame History

Detecting Malicious Scheduled Tasks with Sysmon — API Reference

Relevant Event IDs

schtasks.exe Suspicious Flags

Splunk Detection Queries

Sysmon Configuration (Task Monitoring)

MITRE ATT&CK

External References

2.3 KiB

Raw Blame History