Detect Scheduled Task/Job in Splunk
Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Adversaries use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to run processes under elevated account contexts (such as SYSTEM), and to potentially mask one-time execution under a trusted system process. Sub-techniques cover Windows Task Scheduler (T1053.005), the legacy AT command (T1053.002), Unix cron (T1053.003), macOS launchd (T1053.004), Linux systemd timers (T1053.006), and container orchestration jobs (T1053.007).
MITRE ATT&CK
- Technique
- T1053 Scheduled Task/Job
- Canonical reference
- https://attack.mitre.org/techniques/T1053/
SPL Detection Query
// T1053 — Scheduled Task/Job: Multi-source SPL detection
(
(index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(Image="*\\schtasks.exe" OR Image="*\\at.exe"))
OR
(index=wineventlog sourcetype="WinEventLog:Security" EventCode=4698)
)
| eval source_branch=case(
sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "schtasks_sysmon",
sourcetype="WinEventLog:Security" AND EventCode=4698, "task_created_4698",
true(), "unknown"
)
| eval RawText=coalesce(CommandLine, Message, "")
| eval RawTextLower=lower(RawText)
| eval RunAsSystem=if(
match(RawTextLower, "(/ru\s+system|/ru\s+\"nt authority|<userid>s-1-5-18</userid>|userid.*system)"),
1, 0
)
| eval SuspiciousPath=if(
match(RawTextLower, "(appdata|\\\\temp\\\\|\\\\tmp\\\\|\\\\public\\\\|c:\\\\programdata\\\\|users\\\\public)"),
1, 0
)
| eval RemoteTask=if(
match(RawTextLower, "/s\s+[a-z0-9\-_\.]+"),
1, 0
)
| eval ScriptExecution=if(
match(RawTextLower, "(powershell|wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|cmd\.exe|certutil\.exe)"),
1, 0
)
| eval EncodedPayload=if(
match(RawTextLower, "(-encodedcommand|-enc\s|-e\s|-ec\s|frombase64string)"),
1, 0
)
| eval IsTaskCreationEvent=if(EventCode=4698, 1, 0)
| eval SuspicionScore=RunAsSystem + SuspiciousPath + RemoteTask + ScriptExecution + EncodedPayload + IsTaskCreationEvent
| where SuspicionScore > 0
| eval TaskName=coalesce(
mvindex(split(RawText, "Task Name:"), 1),
""
)
| table
_time, host, User, source_branch,
Image, CommandLine, ParentImage, ParentCommandLine,
EventCode, TaskName,
RunAsSystem, SuspiciousPath, RemoteTask, ScriptExecution, EncodedPayload, IsTaskCreationEvent,
SuspicionScore
| sort - _timeMulti-source SPL detection for T1053 Scheduled Task/Job. Combines Sysmon Event ID 1 process creation for schtasks.exe and at.exe with Windows Security Event 4698 (task created). Applies a unified scoring model across both sources: SYSTEM run-as context, suspicious filesystem paths (AppData, Temp, Public), remote task creation (/s flag), scripting engine invocations (PowerShell, wscript, mshta, regsvr32, rundll32), and Base64/encoded payload indicators. A source_branch field identifies which detection path fired, and SuspicionScore helps analysts prioritize multi-indicator alerts. The IsTaskCreationEvent field flags all 4698 events regardless of other indicators, ensuring audit-log-based task creation is always surfaced for review.
Data Sources
Required Sourcetypes
False Positives & Tuning
- IT automation and configuration management tools (SCCM/CCMExec, Intune, Ansible WinRM) creating scheduled tasks for software deployment, patching, and policy enforcement
- Monitoring and observability agents (Datadog, SolarWinds, Nagios, Elastic Agent) scheduling periodic data collection or health check tasks with actions in ProgramData or similar directories
- Legitimate software products creating update or maintenance tasks at installation time (Adobe, Chrome, Java, antivirus products)
- System administrators creating administrative maintenance scripts scheduled as SYSTEM for disk cleanup, log archival, certificate renewal, or backup operations
- Development and CI/CD pipelines on build agents creating tasks as part of automated test execution or environment setup
Other platforms for T1053
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Scheduled Task Running as SYSTEM at Startup
Expected signal: Sysmon Event ID 1: schtasks.exe with CommandLine containing '/create', '/ru SYSTEM', '/sc onstart', and '/f'. Security Event ID 4698 in Windows Security log with TaskName=\Microsoft\Windows\df00tech-test and TaskPrincipal referencing SYSTEM (S-1-5-18). TaskScheduler Operational Event ID 106 (task registered). Task XML created at C:\Windows\System32\Tasks\Microsoft\Windows\df00tech-test.
- Test 2Scheduled Task with PowerShell Encoded Command Payload
Expected signal: Sysmon Event ID 1: powershell.exe executing Register-ScheduledTask via ScheduledTasks module. Security Event ID 4698 with TaskName=df00tech-encoded-test and Action Command=powershell.exe with '-EncodedCommand' in Arguments. TaskScheduler Operational Event ID 106. Task XML in C:\Windows\System32\Tasks\df00tech-encoded-test with Hidden=true and encoded argument visible in task XML.
- Test 3Remote Scheduled Task Creation via schtasks /s
Expected signal: Sysmon Event ID 1: schtasks.exe with CommandLine containing '/s 127.0.0.1' and '/create'. Sysmon Event ID 3: outbound network connection to 127.0.0.1 on port 445 (SMB) or 135 (RPC/DCOM) for remote task registration. Security Event ID 4648 (logon with explicit credentials) if /u and /p are provided. Security Event ID 4698 on the target for the new task.
- Test 4Linux Crontab Persistence — Download and Execute Pattern
Expected signal: Auditd: openat/write syscall to /var/spool/cron/crontabs/<username> or /tmp/crontab.XXXXXX (temp file used by crontab command). Process creation for 'crontab' binary with '-' as argument (reading from stdin). After 5 minutes: crond/cron spawns /bin/bash with the -c argument, creating /tmp/df00tech-cron-out.txt. Syslog shows cron job execution: 'CRON[PID]: (user) CMD (/bin/bash -c ...'.
- Test 5Scheduled Task via XML Import — Masquerading as Windows Component
Expected signal: Sysmon Event ID 1: schtasks.exe with CommandLine containing '/xml' and task name under \Microsoft\Windows\WindowsDefender\. Sysmon Event ID 11: XML file creation in %TEMP%. Security Event ID 4698 with full task XML in EventData — shows Hidden=true, 5-minute repeating trigger, and cmd.exe action. TaskScheduler Operational Event 106. Task XML persisted at C:\Windows\System32\Tasks\Microsoft\Windows\WindowsDefender\df00tech-DefenderUpdate.
References (12)
- https://attack.mitre.org/techniques/T1053/
- https://docs.microsoft.com/en-us/windows/win32/taskschd/task-scheduler-start-page
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4698
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/taskscheduler
- https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
- https://research.nccgroup.com/2021/01/12/abusing-task-scheduler-for-persistence/
- https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://www.mandiant.com/resources/blog/apt41-us-state-governments
- https://technet.microsoft.com/en-us/library/cc785125.aspx
Unlock Pro Content
Get the full detection package for T1053 including response playbook, investigation guide, and atomic red team tests.