The Windows built-in tool
schtasks.exe provides the creation, modification, and running of scheduled tasks on a local or remote computer. It is provided as a more flexible alternative to
at.exe, described in CAR-2013-05-004. Although used by adversaries, the tool is also legitimately used by administrators, scripts, and software configurations. The scheduled tasks tool can be used to gain Persistence and can be used in combination with a Lateral Movement technique to remotely gain execution. Additionally, the command has parameters to specify the user and password responsible for creating the task, as well as the user and password combination that the task will run as. The
/s flag will cause a task to run as the SYSTEM user, usually indicating privilege escalation.
|Technique||Tactic||Level of Coverage|
Data Model References
Look for instances of
schtasks.exe running as processes. The
command_line field is necessary to disambiguate between types of schtasks commands. These include the flags
process = search Process:Create schtasks = filter process where (exe == "schtasks.exe") output schtasks
Dnif, Sysmon native
DNIF version of the above pseudocode.
_fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $App=schtasks.exe AND $Process=regex(.*(\/create|\/run|\/query|\/delete|\/change|\/end).*)i limit 100
Test Case 1
Configurations: Windows 7
Create a new scheduled task with schtasks.exe and verify the analytic fires when the task executes.
- From an admin account, open Windows command prompt (right click, run as administrator)
schtasks /Create /SC ONCE /ST 19:00 /TR C:\Windows\System32\calc.exe /TN calctask, substituting a time in the near future for 19:00
- The program should respond with “SUCCESS: The scheduled task “calctask” has successfully been created.”
- The program should execute at the time specified. This is what the analytic should fire on.
- To remove the scheduled task, execute
schtasks /Delete /TN calctask.
- The program should respond with “SUCCESS: The scheduled task “calctask” was successfully deleted.”
schtasks /Create /SC ONCE /ST 19:00 /TR C:\Windows\System32\calc.exe /TN calctask schtasks /Delete /TN calctask