T1053.005 Splunk · SPL

Detect Scheduled Task in Splunk

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. Attackers use schtasks.exe, the Task Scheduler GUI, .NET wrappers, WMI (via Win32_ScheduledJob or PS_ScheduledTask), or direct registry manipulation to create, modify, or delete scheduled tasks. Tasks can run under any account context including SYSTEM, enabling privilege escalation. Adversaries also create hidden tasks by deleting the Security Descriptor (SD) registry value, making tasks invisible to standard enumeration tools.

MITRE ATT&CK

Tactic
Execution Persistence Privilege Escalation
Technique
T1053 Scheduled Task/Job
Sub-technique
T1053.005 Scheduled Task
Canonical reference
https://attack.mitre.org/techniques/T1053/005/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
(
  (EventCode=1 Image="*\\schtasks.exe")
  OR (EventCode=4688 NewProcessName="*\\schtasks.exe")
  OR (EventCode=4698)
  OR (EventCode=4702)
)
| eval CommandLine=coalesce(CommandLine, ProcessCommandLine, CommandLine)
| eval CommandLineLower=lower(CommandLine)
| eval TaskName=coalesce(TaskName, "")
| eval TaskContent=coalesce(TaskContent, "")

| eval HasCreate=if(match(CommandLineLower, "(/create|/change)"), 1, 0)
| eval RunAsSystem=if(match(CommandLineLower, "(/ru\s+(system|\"system\"|\"nt authority\\\\system\"))"), 1, 0)
| eval SuspiciousLoc=if(match(CommandLineLower, "(appdata|\\\\temp\\\\|programdata|\\\\public\\\\|%temp%|%appdata%)"), 1, 0)
| eval SuspiciousBin=if(match(CommandLineLower, "(powershell|cmd\.exe|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|msbuild|wmic|msiexec)"), 1, 0)
| eval OnLogonTrigger=if(match(CommandLineLower, "(/sc\s+(onlogon|onstartup|onstart))"), 1, 0)
| eval HighFreqTrigger=if(match(CommandLineLower, "(/sc\s+(minute|hourly))"), 1, 0)
| eval RemoteTask=if(match(CommandLineLower, "/s\s+"), 1, 0)
| eval SuspiciousParent=if(match(lower(ParentImage), "(powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|winword|excel|outlook|acrord32|msedge|chrome|firefox)"), 1, 0)
| eval IsSecurityEvent=if(EventCode=4698 OR EventCode=4702, 1, 0)

| eval SuspicionScore=HasCreate + RunAsSystem + SuspiciousLoc + SuspiciousBin + OnLogonTrigger + HighFreqTrigger + RemoteTask + SuspiciousParent + IsSecurityEvent

| where SuspicionScore > 0

| eval DetectionSource=case(
    EventCode=4698, "task_created_security_log",
    EventCode=4702, "task_updated_security_log",
    EventCode=1, "sysmon_process_create",
    EventCode=4688, "security_process_create",
    true(), "unknown"
  )

| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        TaskName, HasCreate, RunAsSystem, SuspiciousLoc, SuspiciousBin,
        OnLogonTrigger, HighFreqTrigger, RemoteTask, SuspiciousParent,
        SuspicionScore, DetectionSource, EventCode
| sort - SuspicionScore, - _time
high severity high confidence

Detects malicious scheduled task creation and modification by combining Sysmon Event ID 1 (Process Create), Security Event ID 4688 (Process Create with command line auditing), Security Event ID 4698 (Scheduled Task Created), and Security Event ID 4702 (Scheduled Task Updated). Evaluates command-line arguments for suspicious patterns including SYSTEM execution, suspicious binary locations, logon/startup triggers, high-frequency intervals, remote task creation, and suspicious parent processes. A composite suspicion score enables analyst prioritization.

Data Sources

Process: Process CreationWindows Security Event LogSysmon Event ID 1Windows Security Event ID 4698Windows Security Event ID 4702

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/OperationalWinEventLog:Security

False Positives & Tuning

  • Software installers and patch management tools (SCCM, Intune, PDQ Deploy) that create scheduled tasks as part of software deployment workflows
  • Legitimate IT automation and monitoring agents (SolarWinds, Nagios, Datadog, Ansible) that create or modify scheduled tasks for health checks and data collection
  • Antivirus and endpoint security products creating scheduled tasks for definition updates, scans, and health monitoring
  • Developer and DevOps toolchains (CI/CD agents, build servers) that schedule recurring jobs via schtasks
  • System administrators manually creating maintenance tasks from elevated shells during change windows
Download portable Sigma rule (.yml)

Other platforms for T1053.005

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Persistence Scheduled Task Running as SYSTEM

    Expected signal: Sysmon Event ID 1: Process Create with Image=schtasks.exe, CommandLine containing '/create', '/tn WindowsSystemCheck', '/ru SYSTEM', '/sc onstart'. Security Event ID 4688 (if command line auditing enabled). Security Event ID 4698 (Scheduled Task Created) in Security log with task XML showing SYSTEM principal. Registry key created under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\ (ONSTART trigger).

  2. Test 2Scheduled Task with PowerShell Download Cradle Action

    Expected signal: Sysmon Event ID 1: schtasks.exe with full command line including the PowerShell cradle. Security Event ID 4698 with task XML showing PowerShell action with hidden window and download cradle. Task XML file written to C:\Windows\System32\Tasks\MicrosoftEdgeUpdateCheck. Registry entries created under TaskCache\Logon\.

  3. Test 3Scheduled Task Created via PowerShell (Invoke-CimMethod)

    Expected signal: Sysmon Event ID 1: powershell.exe process with command line containing Register-ScheduledTask. Security Event ID 4698: Scheduled Task Created (WmiTaskTest). Sysmon Event ID 13: Registry value written to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\ by powershell.exe (not svchost.exe). Task XML file written to C:\Windows\System32\Tasks\WmiTaskTest.

  4. Test 4Hidden Scheduled Task via SD Registry Value Deletion

    Expected signal: Sysmon Event ID 1: schtasks.exe creating the task. Sysmon Event ID 14 (Registry Key/Value Deleted): TargetObject = HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\HiddenPersistTask\SD, Image = reg.exe. Security Event ID 4698: task created. After SD deletion, task is absent from schtasks /query but still active in TaskCache.

  5. Test 5Remote Scheduled Task Creation for Lateral Movement

    Expected signal: Sysmon Event ID 1: schtasks.exe with CommandLine containing '/s 127.0.0.1', '/ru SYSTEM', '/create'. Security Event ID 4698: Scheduled Task Created on target (local) system. Network connection attempt to localhost Task Scheduler RPC interface (port 135/dynamic RPC). Security Event ID 4648 (Logon with explicit credentials) if alternate credentials used.

Last updated: 2026-04-16 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1053.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1053Scheduled Task/Job

Related Sub-techniques

T1053.002AtT1053.003CronT1053.006Systemd TimersT1053.007Container Orchestration Job

Related Techniques

T1053Scheduled Task/JobT1059.001PowerShellT1059.003Windows Command ShellT1047Windows Management InstrumentationT1564.001Hidden Files and DirectoriesT1564Hide ArtifactsT1078Valid AccountsT1021.002SMB/Windows Admin SharesT1218System Binary Proxy ExecutionT1055Process InjectionT1112Modify RegistryT1562.001Disable or Modify Tools

Same Tactic: Execution

Popular Detections