The Windows built-in tool schtasks.exe provides the creation, modification, and running of scheduled tasks on a local or remote computer. It is provided as a more flexible alternative to at.exe, described in CAR-2013-05-004. Although used by adversaries, the tool is also legitimately used by administrators, scripts, and software configurations. The scheduled tasks tool can be used to gain Persistence and can be used in combination with a Lateral Movement technique to remotely gain execution. Additionally, the command has parameters to specify the user and password responsible for creating the task, as well as the user and password combination that the task will run as. The /s flag specifies the remote system on which the task should be scheduled, usually indicating Lateral Movement.

ATT&CK Detection

Technique Subtechnique(s) Tactic(s) Level of Coverage
Scheduled Task/Job Scheduled Task Persistence Moderate

Data Model References

Object Action Field
process create exe
process create command_line

Implementations

Pseudocode

Look for instances of schtasks.exe running as processes. The command_line field is necessary to disambiguate between types of schtasks commands. These include the flags /create, /run, /query, /delete, /change, and /end.

process = search Process:Create
schtasks = filter process where (exe == "schtasks.exe")
output schtasks

Dnif, Sysmon native

DNIF version of the above pseudocode.

_fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $App=schtasks.exe AND $Process=regex(.*(\/create|\/run|\/query|\/delete|\/change|\/end).*)i limit 100

Unit Tests

Test Case 1

Configurations: Windows 7

Create a new scheduled task with schtasks.exe and verify the analytic fires when the task executes.

  • From an admin account, open Windows command prompt (right click, run as administrator)
  • Execute schtasks /Create /SC ONCE /ST 19:00 /TR C:\Windows\System32\calc.exe /TN calctask, substituting a time in the near future for 19:00
  • The program should respond with “SUCCESS: The scheduled task “calctask” has successfully been created.”
  • The program should execute at the time specified. This is what the analytic should fire on.
  • To remove the scheduled task, execute schtasks /Delete /TN calctask.
  • The program should respond with “SUCCESS: The scheduled task “calctask” was successfully deleted.”
schtasks /Create /SC ONCE /ST 19:00 /TR C:\Windows\System32\calc.exe /TN calctask
schtasks /Delete /TN calctask