In order to gain persistence, privilege escalation, or remote execution, an adversary may use the Windows Task Scheduler to schedule a command to be run at a specified time, date, and even host. Task Scheduler stores tasks as files in two locations - C:\Windows\Tasks (legacy) or C:\Windows\System32\Tasks. Accordingly, this analytic looks for the creation of task files in these two locations.

ATT&CK Detections

Technique Subtechnique(s) Tactic(s) Level of Coverage
Scheduled Task/Job Scheduled Task Execution, Persistence, Privilege Escalation Low

D3FEND Techniques

ID Name
D3-FCA File Creation Analysis

Data Model References

Object Action Field
file create file_path
file create image_path

Implementations

Pseudocode - Windows task file creation (Pseudocode, CAR native)

This is a pseudocode representation of the below splunk search.

files = search File:Create
task_files = filter files where (
  (file_path = "C:\Windows\System32\Tasks\*" or file_path = "C:\Windows\Tasks\*")  and
  image_path != "C:\WINDOWS\system32\svchost.exe")
output task_files

Splunk search - Windows task file creation (Splunk, Sysmon native)

This Splunk search looks for any files created under the Windows tasks directories.

index=__your_sysmon_index__ EventCode=11 Image!="C:\\WINDOWS\\system32\\svchost.exe" (TargetFilename="C:\\Windows\\System32\\Tasks\\
*" OR TargetFilename="C:\\Windows\\Tasks\\*")

LogPoint search - Windows task file creation (Logpoint, LogPoint native)

This LogPoint search looks for any files created under the Windows tasks directories.

norm_id=WindowsSysmon event_id=11 -source_image="C:\WINDOWS\system32\svchost.exe" (path="C:\Windows\System32\Tasks*" OR path="C:\Windows\Tasks*")