Detect Scheduled Task/Job in CrowdStrike LogScale
Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Adversaries use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to run processes under elevated account contexts (such as SYSTEM), and to potentially mask one-time execution under a trusted system process. Sub-techniques cover Windows Task Scheduler (T1053.005), the legacy AT command (T1053.002), Unix cron (T1053.003), macOS launchd (T1053.004), Linux systemd timers (T1053.006), and container orchestration jobs (T1053.007).
MITRE ATT&CK
- Technique
- T1053 Scheduled Task/Job
- Canonical reference
- https://attack.mitre.org/techniques/T1053/
LogScale Detection Query
// T1053 — Scheduled Task/Job: CrowdStrike Falcon LogScale detection
// Targets ProcessRollup2 events for schtasks.exe and at.exe with suspicious indicators
#event_simpleName in ["ProcessRollup2", "SyntheticProcessRollup2"]
| ImageFileName = /(?i)(\\schtasks\.exe$|\\at\.exe$)/
| CommandLine = /(?i)(\/create|\/change|-create|-change)/
| CommandLine = /(?i)(\/ru\s+system|nt\s+authority|appdata|\\temp\\|\\public\\|programdata|windows\\temp|powershell|wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|certutil\.exe|\/s\s+\S+|-encodedcommand|-enc\s|frombase64string)/
| RunAsSystem := if(CommandLine = /(?i)(\/ru\s+system|nt\s+authority\\\\system)/, "true", "false")
| SuspiciousPath := if(CommandLine = /(?i)(appdata|\\\\temp\\\\|\\\\public\\\\|programdata|windows\\\\temp)/, "true", "false")
| RemoteTask := if(CommandLine = /(?i)\/s\s+[a-zA-Z0-9\-_.]+/, "true", "false")
| ScriptExecution := if(CommandLine = /(?i)(powershell|wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|certutil\.exe)/, "true", "false")
| EncodedPayload := if(CommandLine = /(?i)(-encodedcommand|-enc\s|frombase64string)/, "true", "false")
| select([_time, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, RunAsSystem, SuspiciousPath, RemoteTask, ScriptExecution, EncodedPayload])
| sort(field=_time, order=desc, limit=1000)CrowdStrike Falcon LogScale (CQL) detection for T1053 Scheduled Task/Job abuse. Queries ProcessRollup2 and SyntheticProcessRollup2 events for schtasks.exe or at.exe executions with a combined suspicious indicator filter, then enriches each result with per-dimension boolean fields (RunAsSystem, SuspiciousPath, RemoteTask, ScriptExecution, EncodedPayload) for analyst triage. Note: Event 4698 audit coverage requires a separate Falcon LogScale rule ingesting Windows Security event forwarding data via the winlog collector.
Data Sources
Required Tables
False Positives & Tuning
- CrowdStrike Falcon sensor itself and other CrowdStrike platform processes that invoke schtasks.exe during sensor updates, policy enforcement, or prevention policy application
- Large-scale enterprise orchestration tools (Terraform, Ansible, Salt) executing under domain admin or SYSTEM credentials that schedule PowerShell-based tasks on remote hosts using the /s flag against known management servers
- Software packaging and CI/CD pipelines invoking schtasks.exe to register post-install hooks or test fixture teardown tasks pointing to TEMP paths on developer or build agent machines
Other platforms for T1053
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Scheduled Task Running as SYSTEM at Startup
Expected signal: Sysmon Event ID 1: schtasks.exe with CommandLine containing '/create', '/ru SYSTEM', '/sc onstart', and '/f'. Security Event ID 4698 in Windows Security log with TaskName=\Microsoft\Windows\df00tech-test and TaskPrincipal referencing SYSTEM (S-1-5-18). TaskScheduler Operational Event ID 106 (task registered). Task XML created at C:\Windows\System32\Tasks\Microsoft\Windows\df00tech-test.
- Test 2Scheduled Task with PowerShell Encoded Command Payload
Expected signal: Sysmon Event ID 1: powershell.exe executing Register-ScheduledTask via ScheduledTasks module. Security Event ID 4698 with TaskName=df00tech-encoded-test and Action Command=powershell.exe with '-EncodedCommand' in Arguments. TaskScheduler Operational Event ID 106. Task XML in C:\Windows\System32\Tasks\df00tech-encoded-test with Hidden=true and encoded argument visible in task XML.
- Test 3Remote Scheduled Task Creation via schtasks /s
Expected signal: Sysmon Event ID 1: schtasks.exe with CommandLine containing '/s 127.0.0.1' and '/create'. Sysmon Event ID 3: outbound network connection to 127.0.0.1 on port 445 (SMB) or 135 (RPC/DCOM) for remote task registration. Security Event ID 4648 (logon with explicit credentials) if /u and /p are provided. Security Event ID 4698 on the target for the new task.
- Test 4Linux Crontab Persistence — Download and Execute Pattern
Expected signal: Auditd: openat/write syscall to /var/spool/cron/crontabs/<username> or /tmp/crontab.XXXXXX (temp file used by crontab command). Process creation for 'crontab' binary with '-' as argument (reading from stdin). After 5 minutes: crond/cron spawns /bin/bash with the -c argument, creating /tmp/df00tech-cron-out.txt. Syslog shows cron job execution: 'CRON[PID]: (user) CMD (/bin/bash -c ...'.
- Test 5Scheduled Task via XML Import — Masquerading as Windows Component
Expected signal: Sysmon Event ID 1: schtasks.exe with CommandLine containing '/xml' and task name under \Microsoft\Windows\WindowsDefender\. Sysmon Event ID 11: XML file creation in %TEMP%. Security Event ID 4698 with full task XML in EventData — shows Hidden=true, 5-minute repeating trigger, and cmd.exe action. TaskScheduler Operational Event 106. Task XML persisted at C:\Windows\System32\Tasks\Microsoft\Windows\WindowsDefender\df00tech-DefenderUpdate.
References (12)
- https://attack.mitre.org/techniques/T1053/
- https://docs.microsoft.com/en-us/windows/win32/taskschd/task-scheduler-start-page
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4698
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/taskscheduler
- https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
- https://research.nccgroup.com/2021/01/12/abusing-task-scheduler-for-persistence/
- https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://www.mandiant.com/resources/blog/apt41-us-state-governments
- https://technet.microsoft.com/en-us/library/cc785125.aspx
Unlock Pro Content
Get the full detection package for T1053 including response playbook, investigation guide, and atomic red team tests.