Scheduled Task Creation Via Schtasks.EXE
Detects the creation of scheduled tasks by user accounts via the "schtasks" utility.
Sigma rule (View on GitHub)
1title: Scheduled Task Creation Via Schtasks.EXE
2id: 92626ddd-662c-49e3-ac59-f6535f12d189
3status: test
4description: Detects the creation of scheduled tasks by user accounts via the "schtasks" utility.
5references:
6 - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create
7author: Florian Roth (Nextron Systems)
8date: 2019-01-16
9modified: 2025-10-22
10tags:
11 - attack.execution
12 - attack.persistence
13 - attack.privilege-escalation
14 - attack.t1053.005
15 - attack.s0111
16 - car.2013-08-001
17 - stp.1u
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection:
23 Image|endswith: '\schtasks.exe'
24 CommandLine|contains: ' /create '
25 filter_main_system_user:
26 User|contains: # covers many language settings
27 - 'AUTHORI'
28 - 'AUTORI'
29 filter_optional_msoffice:
30 # schtasks.exe /Create /tn "Microsoft\Office\Office Performance Monitor" /XML "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Performance Monitor.xml"
31 ParentImage:
32 - 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
33 - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
34 Image:
35 - 'C:\Windows\System32\schtasks.exe'
36 - 'C:\Windows\SysWOW64\schtasks.exe'
37 CommandLine|contains: 'Microsoft\Office\Office Performance Monitor'
38 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
39falsepositives:
40 - Administrative activity
41 - Software installation
42level: low
References
Related rules
- HackTool - Default PowerSploit/Empire Scheduled Task Creation
- Defrag Deactivation
- OilRig APT Activity
- OilRig APT Registry Persistence
- OilRig APT Schedule Task Persistence - Security