T1053.005

Scheduled Task

Execution Persistence Privilege Escalation

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. Attackers use schtasks.exe, the Task Scheduler GUI, .NET wrappers, WMI (via Win32_ScheduledJob or PS_ScheduledTask), or direct registry manipulation to create, modify, or delete scheduled tasks. Tasks can run under any account context including SYSTEM, enabling privilege escalation. Adversaries also create hidden tasks by deleting the Security Descriptor (SD) registry value, making tasks invisible to standard enumeration tools.

Microsoft Sentinel / Defender

kusto

let SuspiciousTaskPatterns = dynamic([
  "cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
  "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe",
  "bitsadmin.exe", "msbuild.exe", "wmic.exe", "msiexec.exe"
]);
let SuspiciousLocations = dynamic([
  "\\AppData\\", "\\Temp\\", "\\ProgramData\\", "\\Public\\",
  "\\Users\\Default\\", "%temp%", "%appdata%", "%public%"
]);
let SuspiciousSchtasksArgs = dynamic([
  "/sc onlogon", "/sc onstart", "/sc onstartup", "/ru system",
  "/ru \"system\"", "http://", "https://", "\\\\\\\\" 
]);
// Branch 1: schtasks.exe process creation with suspicious patterns
let SchtasksExecution = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "schtasks.exe"
| where ProcessCommandLine has_any ("/create", "/change")
| extend HasSuspiciousLoc = ProcessCommandLine has_any (SuspiciousLocations)
| extend HasSuspiciousBin = ProcessCommandLine has_any (SuspiciousTaskPatterns)
| extend RunAsSystem = ProcessCommandLine has_any ("/ru system", "/ru \"SYSTEM\"", "/ru \"NT AUTHORITY\\SYSTEM\"")
| extend RemoteTask = ProcessCommandLine has "/s "
| extend OnLogonTrigger = ProcessCommandLine has_any ("/sc onlogon", "/sc onstartup", "/sc onstart")
| extend HighFreqTrigger = ProcessCommandLine has_any ("/sc minute", "/sc hourly")
| extend SuspicionScore = toint(HasSuspiciousLoc) + toint(HasSuspiciousBin) + toint(RunAsSystem) + toint(RemoteTask) + toint(OnLogonTrigger) + toint(HighFreqTrigger)
| where SuspicionScore > 0
| extend DetectionSource = "schtasks_process"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         HasSuspiciousLoc, HasSuspiciousBin, RunAsSystem, RemoteTask,
         OnLogonTrigger, HighFreqTrigger, SuspicionScore, DetectionSource;
// Branch 2: Suspicious parent processes spawning schtasks
let SuspiciousParentSchtasks = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "schtasks.exe"
| where InitiatingProcessFileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe",
         "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "msiexec.exe",
         "wmic.exe", "explorer.exe", "winword.exe", "excel.exe", "outlook.exe",
         "acrord32.exe", "msedge.exe", "chrome.exe", "firefox.exe")
| extend SuspicionScore = 2
| extend DetectionSource = "suspicious_parent"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         HasSuspiciousLoc=false, HasSuspiciousBin=false, RunAsSystem=false,
         RemoteTask=false, OnLogonTrigger=false, HighFreqTrigger=false,
         SuspicionScore, DetectionSource;
// Branch 3: Task Scheduler registry writes to suspicious paths
let RegistryTaskCreation = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\"
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where InitiatingProcessFileName !in~ ("svchost.exe", "taskeng.exe", "taskhostw.exe", "TaskScheduler")
| extend SuspicionScore = 1
| extend DetectionSource = "registry_task"
| project Timestamp=Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
         FileName=InitiatingProcessFileName,
         ProcessCommandLine=InitiatingProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         HasSuspiciousLoc=false, HasSuspiciousBin=false, RunAsSystem=false,
         RemoteTask=false, OnLogonTrigger=false, HighFreqTrigger=false,
         SuspicionScore, DetectionSource;
union SchtasksExecution, SuspiciousParentSchtasks, RegistryTaskCreation
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Registry: Registry Key Creation Registry: Registry Value Modification Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceRegistryEvents

False Positives

Software installers and patch management tools (SCCM, Intune, PDQ Deploy) that create scheduled tasks as part of software deployment workflows
Legitimate IT automation and monitoring agents (SolarWinds, Nagios, Datadog, Ansible) that create or modify scheduled tasks for health checks and data collection
Antivirus and endpoint security products creating scheduled tasks for definition updates, scans, and health monitoring
Developer and DevOps toolchains (CI/CD agents, build servers) that schedule recurring jobs via schtasks
System administrators manually creating maintenance tasks from elevated shells during change windows

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
(
  (EventCode=1 Image="*\\schtasks.exe")
  OR (EventCode=4688 NewProcessName="*\\schtasks.exe")
  OR (EventCode=4698)
  OR (EventCode=4702)
)
| eval CommandLine=coalesce(CommandLine, ProcessCommandLine, CommandLine)
| eval CommandLineLower=lower(CommandLine)
| eval TaskName=coalesce(TaskName, "")
| eval TaskContent=coalesce(TaskContent, "")

| eval HasCreate=if(match(CommandLineLower, "(/create|/change)"), 1, 0)
| eval RunAsSystem=if(match(CommandLineLower, "(/ru\s+(system|\"system\"|\"nt authority\\\\system\"))"), 1, 0)
| eval SuspiciousLoc=if(match(CommandLineLower, "(appdata|\\\\temp\\\\|programdata|\\\\public\\\\|%temp%|%appdata%)"), 1, 0)
| eval SuspiciousBin=if(match(CommandLineLower, "(powershell|cmd\.exe|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|msbuild|wmic|msiexec)"), 1, 0)
| eval OnLogonTrigger=if(match(CommandLineLower, "(/sc\s+(onlogon|onstartup|onstart))"), 1, 0)
| eval HighFreqTrigger=if(match(CommandLineLower, "(/sc\s+(minute|hourly))"), 1, 0)
| eval RemoteTask=if(match(CommandLineLower, "/s\s+"), 1, 0)
| eval SuspiciousParent=if(match(lower(ParentImage), "(powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|winword|excel|outlook|acrord32|msedge|chrome|firefox)"), 1, 0)
| eval IsSecurityEvent=if(EventCode=4698 OR EventCode=4702, 1, 0)

| eval SuspicionScore=HasCreate + RunAsSystem + SuspiciousLoc + SuspiciousBin + OnLogonTrigger + HighFreqTrigger + RemoteTask + SuspiciousParent + IsSecurityEvent

| where SuspicionScore > 0

| eval DetectionSource=case(
    EventCode=4698, "task_created_security_log",
    EventCode=4702, "task_updated_security_log",
    EventCode=1, "sysmon_process_create",
    EventCode=4688, "security_process_create",
    true(), "unknown"
  )

| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        TaskName, HasCreate, RunAsSystem, SuspiciousLoc, SuspiciousBin,
        OnLogonTrigger, HighFreqTrigger, RemoteTask, SuspiciousParent,
        SuspicionScore, DetectionSource, EventCode
| sort - SuspicionScore, - _time

high severity high confidence

Data Sources

Process: Process Creation Windows Security Event Log Sysmon Event ID 1 Windows Security Event ID 4698 Windows Security Event ID 4702

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Software installers and patch management tools (SCCM, Intune, PDQ Deploy) that create scheduled tasks as part of software deployment workflows
Legitimate IT automation and monitoring agents (SolarWinds, Nagios, Datadog, Ansible) that create or modify scheduled tasks for health checks and data collection
Antivirus and endpoint security products creating scheduled tasks for definition updates, scans, and health monitoring
Developer and DevOps toolchains (CI/CD agents, build servers) that schedule recurring jobs via schtasks
System administrators manually creating maintenance tasks from elevated shells during change windows

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
[
  any where event.category == "process" and
  process.name : "schtasks.exe" and
  (
    process.args : ("/create", "/change") and
    (
      process.args : ("*\\AppData\\*", "*\\Temp\\*", "*\\ProgramData\\*", "*\\Public\\*", "%temp%", "%appdata%", "%public%") or
      process.args : ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "msbuild.exe", "wmic.exe", "msiexec.exe") or
      process.args : ("/ru system", "/ru SYSTEM", "/ru \"NT AUTHORITY\\SYSTEM\"") or
      process.args : "/s " or
      process.args : ("/sc onlogon", "/sc onstartup", "/sc onstart") or
      process.args : ("/sc minute", "/sc hourly") or
      process.parent.name : ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "msiexec.exe", "wmic.exe", "winword.exe", "excel.exe", "outlook.exe", "acrord32.exe", "msedge.exe", "chrome.exe", "firefox.exe")
    )
  )
]

OR

sequence by host.name with maxspan=1m
[
  any where event.category == "registry" and
  event.type in ("creation", "change") and
  registry.path : "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\*" and
  not process.name : ("svchost.exe", "taskeng.exe", "taskhostw.exe")
]

high severity high confidence

Data Sources

Windows Sysmon (Event ID 1 - Process Create) Windows Security Log (Event ID 4688 - Process Create, 4698 - Task Created, 4702 - Task Updated) Elastic Endpoint Security agent Windows Registry events (Sysmon Event ID 12/13)

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.registry-* logs-windows.sysmon_operational-* logs-system.security-*

False Positives

Legitimate software installers (e.g., Adobe, Microsoft updaters) that use schtasks.exe to register maintenance tasks in ProgramData or AppData during installation.
System administrators and IT automation tools (Ansible, SCCM, PDQ Deploy) creating scheduled tasks via scripts, which may run under SYSTEM context or use PowerShell as a parent process.
Security and monitoring software (e.g., CrowdStrike, Carbon Black, Qualys) that creates recurring scheduled tasks using schtasks.exe with elevated privileges.
Developer CI/CD pipelines running on Windows build agents that invoke schtasks.exe as part of automated build or deployment scripts.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  QIDNAME(qid) AS event_name,
  sourceip,
  username,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process,
  "Task Name" AS task_name,
  CASE
    WHEN LOWER("Command") LIKE '%/create%' OR LOWER("Command") LIKE '%/change%' THEN 1 ELSE 0 END +
  CASE
    WHEN LOWER("Command") LIKE '%/ru system%' OR LOWER("Command") LIKE '%nt authority\\system%' THEN 1 ELSE 0 END +
  CASE
    WHEN LOWER("Command") LIKE '%appdata%' OR LOWER("Command") LIKE '%\\temp\\%'
      OR LOWER("Command") LIKE '%programdata%' OR LOWER("Command") LIKE '%\\public\\%' THEN 1 ELSE 0 END +
  CASE
    WHEN LOWER("Command") LIKE '%powershell%' OR LOWER("Command") LIKE '%cmd.exe%'
      OR LOWER("Command") LIKE '%wscript%' OR LOWER("Command") LIKE '%cscript%'
      OR LOWER("Command") LIKE '%mshta%' OR LOWER("Command") LIKE '%rundll32%'
      OR LOWER("Command") LIKE '%regsvr32%' OR LOWER("Command") LIKE '%certutil%'
      OR LOWER("Command") LIKE '%bitsadmin%' OR LOWER("Command") LIKE '%msbuild%'
      OR LOWER("Command") LIKE '%wmic%' OR LOWER("Command") LIKE '%msiexec%' THEN 1 ELSE 0 END +
  CASE
    WHEN LOWER("Command") LIKE '%/sc onlogon%' OR LOWER("Command") LIKE '%/sc onstartup%'
      OR LOWER("Command") LIKE '%/sc onstart%' THEN 1 ELSE 0 END +
  CASE
    WHEN LOWER("Command") LIKE '%/sc minute%' OR LOWER("Command") LIKE '%/sc hourly%' THEN 1 ELSE 0 END +
  CASE
    WHEN LOWER("Command") LIKE '%/s %' THEN 1 ELSE 0 END +
  CASE
    WHEN LOWER("Parent Process Name") LIKE '%powershell%' OR LOWER("Parent Process Name") LIKE '%wscript%'
      OR LOWER("Parent Process Name") LIKE '%cscript%' OR LOWER("Parent Process Name") LIKE '%mshta%'
      OR LOWER("Parent Process Name") LIKE '%rundll32%' OR LOWER("Parent Process Name") LIKE '%winword%'
      OR LOWER("Parent Process Name") LIKE '%excel%' OR LOWER("Parent Process Name") LIKE '%outlook%'
      OR LOWER("Parent Process Name") LIKE '%chrome%' OR LOWER("Parent Process Name") LIKE '%firefox%'
      OR LOWER("Parent Process Name") LIKE '%msedge%' THEN 2 ELSE 0 END +
  CASE
    WHEN eventid IN (4698, 4702) THEN 2 ELSE 0 END
  AS suspicion_score,
  eventid
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (
    12 /* Microsoft Windows Security Event Log */,
    25 /* Sysmon */
  )
  AND starttime > NOW() - 24 HOURS
  AND (
    (LOWER("Process Name") LIKE '%schtasks.exe%' AND eventid IN (1, 4688))
    OR eventid IN (4698, 4702)
  )
  AND (
    (
      (LOWER("Command") LIKE '%/create%' OR LOWER("Command") LIKE '%/change%')
      AND (
        LOWER("Command") LIKE '%appdata%'
        OR LOWER("Command") LIKE '%\\temp\\%'
        OR LOWER("Command") LIKE '%programdata%'
        OR LOWER("Command") LIKE '%\\public\\%'
        OR LOWER("Command") LIKE '%powershell%'
        OR LOWER("Command") LIKE '%cmd.exe%'
        OR LOWER("Command") LIKE '%wscript%'
        OR LOWER("Command") LIKE '%cscript%'
        OR LOWER("Command") LIKE '%mshta%'
        OR LOWER("Command") LIKE '%rundll32%'
        OR LOWER("Command") LIKE '%regsvr32%'
        OR LOWER("Command") LIKE '%certutil%'
        OR LOWER("Command") LIKE '%bitsadmin%'
        OR LOWER("Command") LIKE '%/ru system%'
        OR LOWER("Command") LIKE '%/sc onlogon%'
        OR LOWER("Command") LIKE '%/sc minute%'
        OR LOWER("Command") LIKE '%/s %'
      )
    )
    OR LOWER("Parent Process Name") LIKE '%powershell%'
    OR LOWER("Parent Process Name") LIKE '%wscript%'
    OR LOWER("Parent Process Name") LIKE '%cscript%'
    OR LOWER("Parent Process Name") LIKE '%mshta%'
    OR LOWER("Parent Process Name") LIKE '%rundll32%'
    OR LOWER("Parent Process Name") LIKE '%winword%'
    OR LOWER("Parent Process Name") LIKE '%excel%'
    OR LOWER("Parent Process Name") LIKE '%outlook%'
    OR LOWER("Parent Process Name") LIKE '%chrome%'
    OR LOWER("Parent Process Name") LIKE '%firefox%'
    OR LOWER("Parent Process Name") LIKE '%msedge%'
    OR eventid IN (4698, 4702)
  )
ORDER BY suspicion_score DESC, starttime DESC

high severity high confidence

Data Sources

Microsoft Windows Security Event Log (EventIDs 4688, 4698, 4702) Sysmon Operational Log (EventID 1 - Process Create) QRadar Windows Custom Properties for Command, Parent Process Name, Task Name

Required Tables

events

False Positives

Enterprise software deployment tools such as SCCM, Intune, or PDQ Deploy that programmatically create scheduled tasks for software maintenance using schtasks.exe under SYSTEM context.
Legitimate scheduled tasks created by system administrators via PowerShell scripts or automation frameworks (Ansible, Puppet) where PowerShell is the parent process of schtasks.exe.
Software update mechanisms from vendors like Adobe, Java, or Microsoft Teams that register scheduled tasks in AppData or ProgramData directories during software installation or update cycles.
Monitoring and backup agents (Veeam, Acronis, SolarWinds) that create high-frequency scheduled tasks (minute/hourly) for health checks or incremental backups.

Sumo Logic CSE

sql

_sourceCategory=windows/security OR _sourceCategory=windows/sysmon
| where (%"EventID" IN ("1", "4688", "4698", "4702"))

// Normalize process name and command line across event sources
| eval process_name = if(!isNull(%"Image"), %"Image", if(!isNull(%"NewProcessName"), %"NewProcessName", ""))
| eval command_line = if(!isNull(%"CommandLine"), %"CommandLine", if(!isNull(%"ProcessCommandLine"), %"ProcessCommandLine", ""))
| eval parent_process = if(!isNull(%"ParentImage"), %"ParentImage", if(!isNull(%"ParentProcessName"), %"ParentProcessName", ""))
| eval task_name = if(!isNull(%"TaskName"), %"TaskName", "")
| eval event_id = %"EventID"

// Only process schtasks.exe events and task scheduler audit events
| where toLowerCase(process_name) matches "*schtasks.exe*" OR event_id IN ("4698", "4702")

// Score: create/change operation
| eval has_create = if(matches(toLowerCase(command_line), ".*(/create|/change).*"), 1, 0)

// Score: run as SYSTEM
| eval run_as_system = if(matches(toLowerCase(command_line), ".*/ru\\s+(system|\\"system\\"|\\"nt authority\\\\system\\").*"), 1, 0)

// Score: suspicious file location
| eval suspicious_loc = if(matches(toLowerCase(command_line), ".*(appdata|\\\\temp\\\\|programdata|\\\\public\\\\|%temp%|%appdata%|%public%).*"), 1, 0)

// Score: suspicious binary invoked
| eval suspicious_bin = if(matches(toLowerCase(command_line), ".*(powershell|cmd\\.exe|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|msbuild|wmic|msiexec).*"), 1, 0)

// Score: logon/startup trigger
| eval logon_trigger = if(matches(toLowerCase(command_line), ".*/sc\\s+(onlogon|onstartup|onstart).*"), 1, 0)

// Score: high frequency trigger
| eval high_freq = if(matches(toLowerCase(command_line), ".*/sc\\s+(minute|hourly).*"), 1, 0)

// Score: remote task creation
| eval remote_task = if(matches(toLowerCase(command_line), ".*/s\\s+.*"), 1, 0)

// Score: suspicious parent process
| eval suspicious_parent = if(matches(toLowerCase(parent_process), ".*(powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|winword|excel|outlook|acrord32|msedge|chrome|firefox).*"), 2, 0)

// Score: native security audit event
| eval is_audit_event = if(event_id IN ("4698", "4702"), 2, 0)

// Compute total suspicion score
| eval suspicion_score = has_create + run_as_system + suspicious_loc + suspicious_bin + logon_trigger + high_freq + remote_task + suspicious_parent + is_audit_event

// Only surface events with at least one indicator
| where suspicion_score > 0

// Label detection source
| eval detection_source = if(event_id == "4698", "task_created_security_log",
    if(event_id == "4702", "task_updated_security_log",
    if(event_id == "1", "sysmon_process_create",
    if(event_id == "4688", "security_process_create", "unknown"))))

| fields _messageTime, _sourceHost, %"User", process_name, command_line, parent_process, task_name,
         has_create, run_as_system, suspicious_loc, suspicious_bin, logon_trigger, high_freq,
         remote_task, suspicious_parent, suspicion_score, detection_source, event_id
| sort by suspicion_score desc, _messageTime desc

high severity high confidence

Data Sources

Windows Security Event Log via Sumo Logic Windows Collection Agent Sysmon Operational Log via Sumo Logic Windows Collection Agent Sumo Logic CSE Normalized Windows Events

Required Tables

_sourceCategory=windows/security _sourceCategory=windows/sysmon

False Positives

Enterprise patch management solutions (WSUS, SCCM, Intune) that create or modify scheduled tasks in SYSTEM context during patch deployment windows.
IT automation tools using PowerShell or cmd.exe as parent processes to invoke schtasks.exe for legitimate task provisioning as part of infrastructure-as-code pipelines.
Application installers that register scheduled tasks for update checking in AppData or ProgramData directories — particularly common with Adobe Creative Cloud, Chrome, Firefox, and Zoom.
Security operations tools (vulnerability scanners, endpoint agents) that create recurring scheduled tasks to run health checks or telemetry collection on a minute or hourly basis.

Google Chronicle / SecOps

yaral

rule mitre_t1053_005_scheduled_task_abuse {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects Windows Scheduled Task abuse via schtasks.exe with suspicious arguments or parent processes, and direct Task Scheduler registry manipulation (T1053.005)"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Persistence, Privilege Escalation"
    mitre_attack_technique = "T1053.005"
    reference = "https://attack.mitre.org/techniques/T1053/005/"
    platform = "Windows"
    version = "1.0"
    created = "2026-04-16"

  events:
    // Match schtasks.exe process creation events
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.file.full_path = /(?i)schtasks\.exe$/
    (
      // Branch 1: Suspicious schtasks arguments — create or change with indicators
      (
        (
          re.regex($e.target.process.command_line, `(?i)/create|/change`)
        )
        and
        (
          re.regex($e.target.process.command_line, `(?i)\\AppData\\|\\Temp\\|\\ProgramData\\|\\Public\\|%temp%|%appdata%|%public%`) or
          re.regex($e.target.process.command_line, `(?i)cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|msbuild\.exe|wmic\.exe|msiexec\.exe`) or
          re.regex($e.target.process.command_line, `(?i)/ru\s+(system|"system"|"nt authority\\system")`) or
          re.regex($e.target.process.command_line, `(?i)/s\s+`) or
          re.regex($e.target.process.command_line, `(?i)/sc\s+(onlogon|onstartup|onstart)`) or
          re.regex($e.target.process.command_line, `(?i)/sc\s+(minute|hourly)`)
        )
      )
      or
      // Branch 2: Suspicious parent process spawning schtasks
      re.regex($e.principal.process.file.full_path, `(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|msiexec\.exe|wmic\.exe|winword\.exe|excel\.exe|outlook\.exe|acrord32\.exe|msedge\.exe|chrome\.exe|firefox\.exe)$`)
    )

    $e.principal.hostname = $hostname

  condition:
    $e
}

rule mitre_t1053_005_scheduled_task_registry_manipulation {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects unauthorized Task Scheduler registry writes to TaskCache key, indicating hidden or programmatically created scheduled tasks (T1053.005)"
    severity = "MEDIUM"
    priority = "MEDIUM"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1053.005"
    reference = "https://attack.mitre.org/techniques/T1053/005/"
    platform = "Windows"
    version = "1.0"
    created = "2026-04-16"

  events:
    $r.metadata.event_type = "REGISTRY_MODIFICATION"
    re.regex($r.target.registry.registry_key, `(?i)\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\`)
    not re.regex($r.principal.process.file.full_path, `(?i)(svchost\.exe|taskeng\.exe|taskhostw\.exe)$`)

    $r.principal.hostname = $hostname

  condition:
    $r
}

high severity high confidence

Data Sources

Google Chronicle UDM via Windows Event Forwarding (WEF) Sysmon logs forwarded to Chronicle (Event ID 1 - Process Create, Event ID 12/13 - Registry) Windows Security Event Log via Chronicle ingestion (Event ID 4688, 4698, 4702) Chronicle Endpoint Detection sensor

Required Tables

UDM events with metadata.event_type = PROCESS_LAUNCH UDM events with metadata.event_type = REGISTRY_MODIFICATION

False Positives

Legitimate software installation processes that register scheduled tasks via PowerShell or script engines as part of their setup routines — particularly common with enterprise software suites.
System management tools (SCCM, Group Policy) that write directly to the Task Scheduler registry keys to deploy tasks across managed endpoints.
Security software such as EDR agents and antivirus solutions that create high-frequency scheduled tasks for signature updates or health telemetry, potentially triggering the /sc minute or /sc hourly indicators.
Developer workstations where build tools (MSBuild) or automation frameworks invoke schtasks.exe as part of CI pipeline test fixtures or developer environment setup scripts.

CrowdStrike LogScale (CQL)

cql

// Branch 1: schtasks.exe with suspicious arguments or parent processes
#event_simpleName = ProcessRollup2
| FileName = "schtasks.exe"
| CommandLine = /(?i)\/create|\/change/
| eval HasSuspiciousLoc = if(CommandLine = /(?i)\\AppData\\|\\Temp\\|\\ProgramData\\|\\Public\\|%temp%|%appdata%|%public%/, 1, 0)
| eval HasSuspiciousBin = if(CommandLine = /(?i)cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|msbuild\.exe|wmic\.exe|msiexec\.exe/, 1, 0)
| eval RunAsSystem = if(CommandLine = /(?i)\/ru\s+(system|"system"|"nt authority\\system")/, 1, 0)
| eval RemoteTask = if(CommandLine = /(?i)\/s\s+/, 1, 0)
| eval OnLogonTrigger = if(CommandLine = /(?i)\/sc\s+(onlogon|onstartup|onstart)/, 1, 0)
| eval HighFreqTrigger = if(CommandLine = /(?i)\/sc\s+(minute|hourly)/, 1, 0)
| eval SuspiciousParent = if(ParentBaseFileName = /(?i)powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|msiexec\.exe|wmic\.exe|winword\.exe|excel\.exe|outlook\.exe|acrord32\.exe|msedge\.exe|chrome\.exe|firefox\.exe/, 2, 0)
| eval SuspicionScore = HasSuspiciousLoc + HasSuspiciousBin + RunAsSystem + RemoteTask + OnLogonTrigger + HighFreqTrigger + SuspiciousParent
| where SuspicionScore > 0
| eval DetectionBranch = "schtasks_suspicious_args_or_parent"
| table [@timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine,
         HasSuspiciousLoc, HasSuspiciousBin, RunAsSystem, RemoteTask, OnLogonTrigger, HighFreqTrigger,
         SuspiciousParent, SuspicionScore, DetectionBranch]

// Branch 2: schtasks.exe spawned by suspicious parent (no /create filter — catches any schtasks invocation)
OR (
  #event_simpleName = ProcessRollup2
  | FileName = "schtasks.exe"
  | ParentBaseFileName = /(?i)powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|winword\.exe|excel\.exe|outlook\.exe|acrord32\.exe|msedge\.exe|chrome\.exe|firefox\.exe/
  | not CommandLine = /(?i)\/create|\/change/
  | eval SuspicionScore = 2
  | eval DetectionBranch = "schtasks_suspicious_parent_any_operation"
  | table [@timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine,
           SuspicionScore, DetectionBranch]
)

// Branch 3: Registry writes to Task Scheduler TaskCache by non-system processes
OR (
  #event_simpleName = RegGenericValueUpdate OR #event_simpleName = RegKeyCreate
  | RegObjectName = /(?i)\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\/
  | not ImageFileName = /(?i)svchost\.exe|taskeng\.exe|taskhostw\.exe/
  | eval SuspicionScore = 1
  | eval DetectionBranch = "registry_taskcache_write"
  | table [@timestamp, ComputerName, UserName, ImageFileName, CommandLine, RegObjectName,
           RegValueName, SuspicionScore, DetectionBranch]
)
| sort SuspicionScore desc, @timestamp desc

high severity high confidence

Data Sources

CrowdStrike Falcon EDR - ProcessRollup2 events (process creation with full command line) CrowdStrike Falcon EDR - RegGenericValueUpdate and RegKeyCreate events (registry modification) CrowdStrike Falcon - Endpoint Activity Monitor

Required Tables

ProcessRollup2 RegGenericValueUpdate RegKeyCreate

False Positives

Legitimate enterprise deployment tools (SCCM, Intune, PDQ Deploy) that invoke schtasks.exe from administrative scripts running under PowerShell or cmd.exe to provision application maintenance tasks on managed endpoints.
Software installation processes for productivity suites (Microsoft Office, Adobe Acrobat) that may spawn schtasks.exe to register update schedulers in AppData or ProgramData paths during initial installation.
Security tools and EDR agents that write directly to the Task Scheduler registry keys as part of self-protection, persistence, or scheduled scan configuration mechanisms.
Developer tooling on workstation endpoints where build systems, test runners, or local automation scripts use schtasks.exe to configure scheduled jobs for background tasks in development environments.

Last updated: 2026-04-16 Research depth: deep

References (11)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1053.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1053Scheduled Task/Job

Related Sub-techniques

T1053.002At T1053.003Cron T1053.006Systemd Timers T1053.007Container Orchestration Job

Scheduled Task

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Execution

Popular Detections