Name:Scheduled Task Deleted Or Created via CMD id:d5af132c-7c17-439c-9d31-13d55340f36c version:26 date:2026-03-26 author:Bhavin Patel, Splunk status:production type:Anomaly Description:The following analytic detects the creation or deletion of scheduled tasks via schtasks.exe when invoked with create or delete flags, specifically focusing on those executions where the process includes additional parameters such as /tr, /sc, or /ru. The detection uses Endpoint Detection and Response (EDR) telemetry mapped to the Endpoint data model, and filters out events originating from trusted system paths like C:\Windows\System32 or C:\Program Files. It further narrows results to cases where schtasks.exe is launched by potentially suspicious parent processes such as cmd.exe, wscript.exe, or cscript.exe, and excludes service accounts. This behavior may indicate adversary efforts to gain persistence or evade detection by manipulating scheduled tasks using scripts or command shells. If confirmed malicious, such activity could lead to unauthorized code execution or the removal of monitoring mechanisms on endpoints. Data_source:
-Sysmon EventID 1
-Windows Event Log Security 4688
-CrowdStrike ProcessRollup2
search:| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE
Processes.parent_process_name="cmd.exe" Processes.process_name="schtasks.exe" Processes.process IN ( "*/create*", "*-create*", "*/delete*", "*-delete*" ) NOT Processes.process IN ( "* \"C:\\Program Files (x86)\\*", "* \"C:\\Program Files\\*", "* \"C:\\Windows\\System32\\*", "* \"C:\\Windows\\SysWOW64\\*", "* C:\\Program Files (x86)\\*", "* C:\\Program Files\\*", "* C:\\Windows\\System32\\*", "* C:\\Windows\\SysWOW64\\*" ) NOT Processes.user="*$"
how_to_implement:The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives:While it is possible for legitimate scripts or administrators to trigger this behavior, filtering can be applied based on the parent process and application to reduce false positives.
Analysts should reference the provided references to understand the context and threat landscape associated with this activity. References: -https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ -https://www.joesandbox.com/analysis/691823/0/html -https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete -https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create drilldown_searches: name:'View the detection results for - "$dest$" and "$user$"' search:'%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest$" and "$user$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'SolarWinds WHD RCE Post Exploitation' - 'ShrinkLocker' - 'AgentTesla' - 'CISA AA24-241A' - 'Winter Vivern' - 'Quasar RAT' - 'Rhysida Ransomware' - 'Sandworm Tools' - 'DarkCrystal RAT' - 'Qakbot' - 'China-Nexus Threat Activity' - 'XWorm' - 'CISA AA23-347A' - 'Azorult' - 'Living Off The Land' - 'Salt Typhoon' - 'Trickbot' - 'NOBELIUM Group' - 'CISA AA22-257A' - 'Medusa Ransomware' - 'Phemedrone Stealer' - 'NjRAT' - 'DHS Report TA18-074A' - 'Scheduled Tasks' - 'Prestige Ransomware' - 'Amadey' - 'AsyncRAT' - 'RedLine Stealer' - 'Windows Persistence Techniques' - 'MoonPeak' - 'Scattered Spider' - '0bj3ctivity Stealer' - 'APT37 Rustonotto and FadeStealer' - 'Lokibot' - 'NetSupport RMM Tool Abuse' - 'ValleyRAT' - 'PlugX' - 'Remcos' asset_type:Endpoint mitre_attack_id: - 'T1053.005' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:endpoint
