In order to gain persistence, privilege escalation, or remote execution, an adversary may use the Windows Task Scheduler to schedule a command to be run at a specified time, date, and even host. Task Scheduler stores tasks as files in two locations - C:\Windows\Tasks (legacy) or C:\Windows\System32\Tasks. Accordingly, this analytic looks for the creation of task files in these two locations.
|Technique||Subtechnique(s)||Tactic(s)||Level of Coverage|
|Scheduled Task/Job||Scheduled Task||Execution, Persistence, Privilege Escalation||Low|
Data Model References
Pseudocode - Windows task file creation (Pseudocode, CAR native)
This is a pseudocode representation of the below splunk search.
files = search File:Create task_files = filter files where ( (file_path = "C:\Windows\System32\Tasks\*" or file_path = "C:\Windows\Tasks\*") and image_path != "C:\WINDOWS\system32\svchost.exe") output task_files
Splunk search - Windows task file creation (Splunk, Sysmon native)
This Splunk search looks for any files created under the Windows tasks directories.
index=__your_sysmon_index__ EventCode=11 Image!="C:\\WINDOWS\\system32\\svchost.exe" (TargetFilename="C:\\Windows\\System32\\Tasks\\ *" OR TargetFilename="C:\\Windows\\Tasks\\*")