EXPLORE
Sign In
← Back to Explore
splunk_escuTTP

WinEvent Scheduled Task Created to Spawn Shell

The following analytic detects the creation of scheduled tasks designed to execute commands using native Windows shells like PowerShell, Cmd, Wscript, or Cscript. It leverages Windows Security EventCode 4698 to identify when such tasks are registered. This activity is significant as it may indicate an attempt to establish persistence or execute malicious commands on a system. If confirmed malicious, this could allow an attacker to maintain access, execute arbitrary code, or escalate privileges, posing a severe threat to the environment.

MITRE ATT&CK

T1053.005
executionpersistenceprivilege-escalation

Detection Query

`wineventlog_security` EventCode=4698 TaskContent IN ("*powershell.exe*", "*wscript.exe*", "*cscript.exe*", "*cmd.exe*", "*sh.exe*", "*ksh.exe*", "*zsh.exe*", "*bash.exe*", "*scrcons.exe*", "*pwsh.exe*")
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY Computer, TaskName, TaskContent
  | rename Computer as dest
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `winevent_scheduled_task_created_to_spawn_shell_filter`

Author

Michael Haag, Splunk

Created

2026-03-10

Data Sources

Windows Event Log Security 4698

References

Tags

CISA AA22-257AChina-Nexus Threat ActivityCompromised Windows HostMedusa RansomwareRansomwareRyuk RansomwareSalt TyphoonScheduled TasksSystemBCWindows Error Reporting Service Elevation of Privilege VulnerabilityWindows Persistence TechniquesWinter Vivern0bj3ctivity StealerCastle RAT
Raw Content
name: WinEvent Scheduled Task Created to Spawn Shell
id: 203ef0ea-9bd8-11eb-8201-acde48001122
version: 18
date: '2026-03-10'
author: Michael Haag, Splunk
status: production
type: TTP
description: The following analytic detects the creation of scheduled tasks designed to execute commands using native Windows shells like PowerShell, Cmd, Wscript, or Cscript. It leverages Windows Security EventCode 4698 to identify when such tasks are registered. This activity is significant as it may indicate an attempt to establish persistence or execute malicious commands on a system. If confirmed malicious, this could allow an attacker to maintain access, execute arbitrary code, or escalate privileges, posing a severe threat to the environment.
data_source:
    - Windows Event Log Security 4698
search: |-
    `wineventlog_security` EventCode=4698 TaskContent IN ("*powershell.exe*", "*wscript.exe*", "*cscript.exe*", "*cmd.exe*", "*sh.exe*", "*ksh.exe*", "*zsh.exe*", "*bash.exe*", "*scrcons.exe*", "*pwsh.exe*")
      | stats count min(_time) as firstTime max(_time) as lastTime
        BY Computer, TaskName, TaskContent
      | rename Computer as dest
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `winevent_scheduled_task_created_to_spawn_shell_filter`
how_to_implement: To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required.
known_false_positives: False positives are possible if legitimate applications are allowed to register tasks that call a shell to be spawned. Filter as needed based on command-line or processes that are used legitimately.
references:
    - https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/
    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4698
    - https://redcanary.com/threat-detection-report/techniques/scheduled-task-job/
    - https://docs.microsoft.com/en-us/windows/win32/taskschd/time-trigger-example--scripting-?redirectedfrom=MSDN
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: 'A Windows Scheduled Task was created (task name=$TaskName$) on $dest$ with the following contents: $TaskContent$'
    risk_objects:
        - field: dest
          type: system
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - CISA AA22-257A
        - China-Nexus Threat Activity
        - Compromised Windows Host
        - Medusa Ransomware
        - Ransomware
        - Ryuk Ransomware
        - Salt Typhoon
        - Scheduled Tasks
        - SystemBC
        - Windows Error Reporting Service Elevation of Privilege Vulnerability
        - Windows Persistence Techniques
        - Winter Vivern
        - 0bj3ctivity Stealer
        - Castle RAT
    asset_type: Endpoint
    mitre_attack_id:
        - T1053.005
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/winevent_scheduled_task_created_to_spawn_shell/windows-xml.log
          source: XmlWinEventLog:Security
          sourcetype: XmlWinEventLog