Detect Scheduled Task in Sumo Logic CSE
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. Attackers use schtasks.exe, the Task Scheduler GUI, .NET wrappers, WMI (via Win32_ScheduledJob or PS_ScheduledTask), or direct registry manipulation to create, modify, or delete scheduled tasks. Tasks can run under any account context including SYSTEM, enabling privilege escalation. Adversaries also create hidden tasks by deleting the Security Descriptor (SD) registry value, making tasks invisible to standard enumeration tools.
MITRE ATT&CK
- Technique
- T1053 Scheduled Task/Job
- Sub-technique
- T1053.005 Scheduled Task
- Canonical reference
- https://attack.mitre.org/techniques/T1053/005/
Sumo Detection Query
_sourceCategory=windows/security OR _sourceCategory=windows/sysmon
| where (%"EventID" IN ("1", "4688", "4698", "4702"))
// Normalize process name and command line across event sources
| eval process_name = if(!isNull(%"Image"), %"Image", if(!isNull(%"NewProcessName"), %"NewProcessName", ""))
| eval command_line = if(!isNull(%"CommandLine"), %"CommandLine", if(!isNull(%"ProcessCommandLine"), %"ProcessCommandLine", ""))
| eval parent_process = if(!isNull(%"ParentImage"), %"ParentImage", if(!isNull(%"ParentProcessName"), %"ParentProcessName", ""))
| eval task_name = if(!isNull(%"TaskName"), %"TaskName", "")
| eval event_id = %"EventID"
// Only process schtasks.exe events and task scheduler audit events
| where toLowerCase(process_name) matches "*schtasks.exe*" OR event_id IN ("4698", "4702")
// Score: create/change operation
| eval has_create = if(matches(toLowerCase(command_line), ".*(/create|/change).*"), 1, 0)
// Score: run as SYSTEM
| eval run_as_system = if(matches(toLowerCase(command_line), ".*/ru\\s+(system|\\"system\\"|\\"nt authority\\\\system\\").*"), 1, 0)
// Score: suspicious file location
| eval suspicious_loc = if(matches(toLowerCase(command_line), ".*(appdata|\\\\temp\\\\|programdata|\\\\public\\\\|%temp%|%appdata%|%public%).*"), 1, 0)
// Score: suspicious binary invoked
| eval suspicious_bin = if(matches(toLowerCase(command_line), ".*(powershell|cmd\\.exe|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|msbuild|wmic|msiexec).*"), 1, 0)
// Score: logon/startup trigger
| eval logon_trigger = if(matches(toLowerCase(command_line), ".*/sc\\s+(onlogon|onstartup|onstart).*"), 1, 0)
// Score: high frequency trigger
| eval high_freq = if(matches(toLowerCase(command_line), ".*/sc\\s+(minute|hourly).*"), 1, 0)
// Score: remote task creation
| eval remote_task = if(matches(toLowerCase(command_line), ".*/s\\s+.*"), 1, 0)
// Score: suspicious parent process
| eval suspicious_parent = if(matches(toLowerCase(parent_process), ".*(powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|winword|excel|outlook|acrord32|msedge|chrome|firefox).*"), 2, 0)
// Score: native security audit event
| eval is_audit_event = if(event_id IN ("4698", "4702"), 2, 0)
// Compute total suspicion score
| eval suspicion_score = has_create + run_as_system + suspicious_loc + suspicious_bin + logon_trigger + high_freq + remote_task + suspicious_parent + is_audit_event
// Only surface events with at least one indicator
| where suspicion_score > 0
// Label detection source
| eval detection_source = if(event_id == "4698", "task_created_security_log",
if(event_id == "4702", "task_updated_security_log",
if(event_id == "1", "sysmon_process_create",
if(event_id == "4688", "security_process_create", "unknown"))))
| fields _messageTime, _sourceHost, %"User", process_name, command_line, parent_process, task_name,
has_create, run_as_system, suspicious_loc, suspicious_bin, logon_trigger, high_freq,
remote_task, suspicious_parent, suspicion_score, detection_source, event_id
| sort by suspicion_score desc, _messageTime descDetects Windows Scheduled Task abuse (T1053.005) across Sysmon and Windows Security event sources. Normalizes fields across event types and applies a multi-factor suspicion scoring model covering: schtasks /create and /change operations targeting suspicious locations or invoking LOLBins, run-as-SYSTEM scheduling, remote task creation, high-frequency or logon-triggered tasks, suspicious parent processes (Office apps, browsers, script interpreters), and native audit events for task creation (4698) and modification (4702). Events with a suspicion score above zero are surfaced and ranked by severity.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise patch management solutions (WSUS, SCCM, Intune) that create or modify scheduled tasks in SYSTEM context during patch deployment windows.
- IT automation tools using PowerShell or cmd.exe as parent processes to invoke schtasks.exe for legitimate task provisioning as part of infrastructure-as-code pipelines.
- Application installers that register scheduled tasks for update checking in AppData or ProgramData directories — particularly common with Adobe Creative Cloud, Chrome, Firefox, and Zoom.
- Security operations tools (vulnerability scanners, endpoint agents) that create recurring scheduled tasks to run health checks or telemetry collection on a minute or hourly basis.
Other platforms for T1053.005
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Persistence Scheduled Task Running as SYSTEM
Expected signal: Sysmon Event ID 1: Process Create with Image=schtasks.exe, CommandLine containing '/create', '/tn WindowsSystemCheck', '/ru SYSTEM', '/sc onstart'. Security Event ID 4688 (if command line auditing enabled). Security Event ID 4698 (Scheduled Task Created) in Security log with task XML showing SYSTEM principal. Registry key created under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\ (ONSTART trigger).
- Test 2Scheduled Task with PowerShell Download Cradle Action
Expected signal: Sysmon Event ID 1: schtasks.exe with full command line including the PowerShell cradle. Security Event ID 4698 with task XML showing PowerShell action with hidden window and download cradle. Task XML file written to C:\Windows\System32\Tasks\MicrosoftEdgeUpdateCheck. Registry entries created under TaskCache\Logon\.
- Test 3Scheduled Task Created via PowerShell (Invoke-CimMethod)
Expected signal: Sysmon Event ID 1: powershell.exe process with command line containing Register-ScheduledTask. Security Event ID 4698: Scheduled Task Created (WmiTaskTest). Sysmon Event ID 13: Registry value written to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\ by powershell.exe (not svchost.exe). Task XML file written to C:\Windows\System32\Tasks\WmiTaskTest.
- Test 4Hidden Scheduled Task via SD Registry Value Deletion
Expected signal: Sysmon Event ID 1: schtasks.exe creating the task. Sysmon Event ID 14 (Registry Key/Value Deleted): TargetObject = HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\HiddenPersistTask\SD, Image = reg.exe. Security Event ID 4698: task created. After SD deletion, task is absent from schtasks /query but still active in TaskCache.
- Test 5Remote Scheduled Task Creation for Lateral Movement
Expected signal: Sysmon Event ID 1: schtasks.exe with CommandLine containing '/s 127.0.0.1', '/ru SYSTEM', '/create'. Security Event ID 4698: Scheduled Task Created on target (local) system. Network connection attempt to localhost Task Scheduler RPC interface (port 135/dynamic RPC). Security Event ID 4648 (Logon with explicit credentials) if alternate credentials used.
References (11)
- https://attack.mitre.org/techniques/T1053/005/
- https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/
- https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md
- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events
- https://technet.microsoft.com/library/dd315590.aspx
- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain
- https://learn.microsoft.com/en-us/windows/win32/taskschd/task-scheduler-start-page
- https://social.technet.microsoft.com/Forums/en-US/e5bca729-52e7-4fcb-ba12-3225c564674c/scheduled-tasks-history-retention-settings?forum=winserver8gen
Unlock Pro Content
Get the full detection package for T1053.005 including response playbook, investigation guide, and atomic red team tests.