EXPLORE
Sign In
← Back to Explore
splunk_escuAnomaly

Scheduled Task Deleted Or Created via CMD

The following analytic detects the creation or deletion of scheduled tasks via schtasks.exe when invoked with create or delete flags, specifically focusing on those executions where the process includes additional parameters such as /tr, /sc, or /ru. The detection uses Endpoint Detection and Response (EDR) telemetry mapped to the Endpoint data model, and filters out events originating from trusted system paths like C:\Windows\System32 or C:\Program Files. It further narrows results to cases where schtasks.exe is launched by potentially suspicious parent processes such as cmd.exe, wscript.exe, or cscript.exe, and excludes service accounts. This behavior may indicate adversary efforts to gain persistence or evade detection by manipulating scheduled tasks using scripts or command shells. If confirmed malicious, such activity could lead to unauthorized code execution or the removal of monitoring mechanisms on endpoints.

MITRE ATT&CK

T1053.005
executionpersistenceprivilege-escalation

Detection Query

| tstats `security_content_summariesonly`
    count
    min(_time) as firstTime
    max(_time) as lastTime
FROM datamodel=Endpoint.Processes WHERE

Processes.parent_process_name="cmd.exe"
Processes.process_name="schtasks.exe"
Processes.process IN (
    "*/create*",
    "*-create*",
    "*/delete*",
    "*-delete*"
)
NOT Processes.process IN (
    "* \"C:\\Program Files (x86)\\*",
    "* \"C:\\Program Files\\*",
    "* \"C:\\Windows\\System32\\*",
    "* \"C:\\Windows\\SysWOW64\\*",
    "* C:\\Program Files (x86)\\*",
    "* C:\\Program Files\\*",
    "* C:\\Windows\\System32\\*",
    "* C:\\Windows\\SysWOW64\\*"
)
NOT Processes.user="*$"

BY Processes.action Processes.dest Processes.original_file_name
   Processes.parent_process Processes.parent_process_exec
   Processes.parent_process_guid Processes.parent_process_id
   Processes.parent_process_name Processes.parent_process_path
   Processes.process Processes.process_exec Processes.process_guid
   Processes.process_hash Processes.process_id Processes.process_integrity_level
   Processes.process_name Processes.process_path Processes.user
   Processes.user_id Processes.vendor_product

| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `scheduled_task_deleted_or_created_via_cmd_filter`

Author

Bhavin Patel, Splunk

Created

2026-03-26

Data Sources

Sysmon EventID 1Windows Event Log Security 4688CrowdStrike ProcessRollup2

References

Tags

SolarWinds WHD RCE Post ExploitationShrinkLockerAgentTeslaCISA AA24-241AWinter VivernQuasar RATRhysida RansomwareSandworm ToolsDarkCrystal RATQakbotChina-Nexus Threat ActivityXWormCISA AA23-347AAzorultLiving Off The LandSalt TyphoonTrickbotNOBELIUM GroupCISA AA22-257AMedusa RansomwarePhemedrone StealerNjRATDHS Report TA18-074AScheduled TasksPrestige RansomwareAmadeyAsyncRATRedLine StealerWindows Persistence TechniquesMoonPeakScattered Spider0bj3ctivity StealerAPT37 Rustonotto and FadeStealerLokibotNetSupport RMM Tool AbuseValleyRATPlugXRemcos
Raw Content
name: Scheduled Task Deleted Or Created via CMD
id: d5af132c-7c17-439c-9d31-13d55340f36c
version: 26
date: '2026-03-26'
author: Bhavin Patel, Splunk
status: production
type: Anomaly
description: The following analytic detects the creation or deletion of scheduled tasks via schtasks.exe when invoked with create or delete flags, specifically focusing on those executions where the process includes additional parameters such as /tr, /sc, or /ru. The detection uses Endpoint Detection and Response (EDR) telemetry mapped to the Endpoint data model, and filters out events originating from trusted system paths like C:\Windows\System32 or C:\Program Files. It further narrows results to cases where schtasks.exe is launched by potentially suspicious parent processes such as cmd.exe, wscript.exe, or cscript.exe, and excludes service accounts. This behavior may indicate adversary efforts to gain persistence or evade detection by manipulating scheduled tasks using scripts or command shells. If confirmed malicious, such activity could lead to unauthorized code execution or the removal of monitoring mechanisms on endpoints.
data_source:
    - Sysmon EventID 1
    - Windows Event Log Security 4688
    - CrowdStrike ProcessRollup2
search: |
    | tstats `security_content_summariesonly`
        count
        min(_time) as firstTime
        max(_time) as lastTime
    FROM datamodel=Endpoint.Processes WHERE

    Processes.parent_process_name="cmd.exe"
    Processes.process_name="schtasks.exe"
    Processes.process IN (
        "*/create*",
        "*-create*",
        "*/delete*",
        "*-delete*"
    )
    NOT Processes.process IN (
        "* \"C:\\Program Files (x86)\\*",
        "* \"C:\\Program Files\\*",
        "* \"C:\\Windows\\System32\\*",
        "* \"C:\\Windows\\SysWOW64\\*",
        "* C:\\Program Files (x86)\\*",
        "* C:\\Program Files\\*",
        "* C:\\Windows\\System32\\*",
        "* C:\\Windows\\SysWOW64\\*"
    )
    NOT Processes.user="*$"

    BY Processes.action Processes.dest Processes.original_file_name
       Processes.parent_process Processes.parent_process_exec
       Processes.parent_process_guid Processes.parent_process_id
       Processes.parent_process_name Processes.parent_process_path
       Processes.process Processes.process_exec Processes.process_guid
       Processes.process_hash Processes.process_id Processes.process_integrity_level
       Processes.process_name Processes.process_path Processes.user
       Processes.user_id Processes.vendor_product

    | `drop_dm_object_name(Processes)`
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `scheduled_task_deleted_or_created_via_cmd_filter`
how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
known_false_positives: |-
    While it is possible for legitimate scripts or administrators to trigger this behavior, filtering can be applied based on the parent process and application to reduce false positives.
    Analysts should reference the provided references to understand the context and threat landscape associated with this activity.
references:
    - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
    - https://www.joesandbox.com/analysis/691823/0/html
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create
drilldown_searches:
    - name: View the detection results for - "$dest$" and "$user$"
      search: '%original_detection_search% | search  dest = "$dest$" user = "$user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$" and "$user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: A parent process [$parent_process_name$] with commandline [$parent_process$] spawned a schedule task process [$process_name$] with create or delete commandline [$process$] on host [$dest$]
    risk_objects:
        - field: dest
          type: system
          score: 20
        - field: user
          type: user
          score: 20
    threat_objects:
        - field: parent_process_name
          type: parent_process_name
        - field: process
          type: process
tags:
    analytic_story:
        - SolarWinds WHD RCE Post Exploitation
        - ShrinkLocker
        - AgentTesla
        - CISA AA24-241A
        - Winter Vivern
        - Quasar RAT
        - Rhysida Ransomware
        - Sandworm Tools
        - DarkCrystal RAT
        - Qakbot
        - China-Nexus Threat Activity
        - XWorm
        - CISA AA23-347A
        - Azorult
        - Living Off The Land
        - Salt Typhoon
        - Trickbot
        - NOBELIUM Group
        - CISA AA22-257A
        - Medusa Ransomware
        - Phemedrone Stealer
        - NjRAT
        - DHS Report TA18-074A
        - Scheduled Tasks
        - Prestige Ransomware
        - Amadey
        - AsyncRAT
        - RedLine Stealer
        - Windows Persistence Techniques
        - MoonPeak
        - Scattered Spider
        - 0bj3ctivity Stealer
        - APT37 Rustonotto and FadeStealer
        - Lokibot
        - NetSupport RMM Tool Abuse
        - ValleyRAT
        - PlugX
        - Remcos
    asset_type: Endpoint
    mitre_attack_id:
        - T1053.005
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/atomic_red_team/windows-sysmon.log
          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
          sourcetype: XmlWinEventLog