Adversaries may use rare scheduled tasks to execute malicious payloads under the guise of legitimate processes. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential covert execution and persistence mechanisms.
KQL Query
let RunningScheduledTasks = materialize(
DeviceProcessEvents
| where InitiatingProcessFileName == @"svchost.exe"
| where InitiatingProcessCommandLine == @"svchost.exe -k netsvcs -p -s Schedule"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, ProcessId, FolderPath
| where FileName != @"MpCmdRun.exe"
| where FolderPath !startswith @"C:\Windows\System32\" or FileName =~ "cmd.exe" or FileName =~ "powershell.exe" or FileName =~ "rundll32.exe" or FileName =~ "regsvr32.exe"
| summarize count() by FileName, ProcessCommandLine, FolderPath
| where count_ < 3
| summarize
Names = make_set(FileName),
CommandLines = make_set(ProcessCommandLine),
FolderPaths = make_set(FolderPath)
);
let Names = RunningScheduledTasks
| project Names
| mv-expand extended = Names
| project asstring = tostring(extended)
| distinct tolower(asstring);
let CommandLines = RunningScheduledTasks
| project CommandLines
| mv-expand extended = CommandLines
| project asstring = tostring(extended)
| distinct tolower(asstring);
let FolderPaths = RunningScheduledTasks
| project FolderPaths
| mv-expand extended = FolderPaths
| project asstring = tostring(extended)
| distinct tolower(asstring);
union DeviceProcessEvents,DeviceNetworkEvents,DeviceFileEvents,DeviceRegistryEvents,DeviceLogonEvents,DeviceImageLoadEvents,DeviceEvents
| where tolower(InitiatingProcessFileName) in (Names)
and tolower(InitiatingProcessCommandLine) in (CommandLines)
and tolower(InitiatingProcessFolderPath) in (FolderPaths)
| sort by Timestamp desc
| summarize Actions = make_set(ActionType), FileNames = make_set(FileName), RemoteIPs = make_set(RemoteIP) by InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessCreationTime, DeviceNameid: ce76992a-8cd6-4605-9f45-cde9aae87244
name: rare_sch_task_with_activity
description: |
Looks for rare process launch as a scheduled task and activity done by the processes.
Author: Jouni Mikkola
More info: https://threathunt.blog/hunting-for-malicious-scheduled-tasks/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
- DeviceNetworkEvents
- DeviceFileEvents
- DeviceRegistryEvents
- DeviceLogonEvents
- DeviceImageLoadEvents
- DeviceEvents
tactics:
- Persistence
relevantTechniques:
- T1053
query: |
let RunningScheduledTasks = materialize(
DeviceProcessEvents
| where InitiatingProcessFileName == @"svchost.exe"
| where InitiatingProcessCommandLine == @"svchost.exe -k netsvcs -p -s Schedule"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, ProcessId, FolderPath
| where FileName != @"MpCmdRun.exe"
| where FolderPath !startswith @"C:\Windows\System32\" or FileName =~ "cmd.exe" or FileName =~ "powershell.exe" or FileName =~ "rundll32.exe" or FileName =~ "regsvr32.exe"
| summarize count() by FileName, ProcessCommandLine, FolderPath
| where count_ < 3
| summarize
Names = make_set(FileName),
CommandLines = make_set(ProcessCommandLine),
FolderPaths = make_set(FolderPath)
);
let Names = RunningScheduledTasks
| project Names
| mv-expand extended = Names
| project asstring = tostring(extended)
| distinct tolower(asstring);
let CommandLines = RunningScheduledTasks
| project CommandLines
| mv-expand extended = CommandLines
| project asstring = tostring(extended)
| distinct tolower(asstring);
let FolderPaths = RunningScheduledTasks
| project FolderPaths
| mv-expand extended = FolderPaths
| project asstring = tostring(extended)
| distinct tolower(asstring);
union DeviceProcessEvents,DeviceNetworkEvents,DeviceFileEvents,DeviceRegistryEvents,DeviceLogonEvents,DeviceImageLoadEvents,DeviceEvents
| where tolower(InitiatingProcessFileName) in (Names)
and tolower(InitiatingProcessCommandLine) in (CommandLines)
and tolower(InitiatingProcessFolderPath) in (FolderPaths)
| sort by Timestamp desc
| summarize Actions = make_set(ActionType), FileNames = make_set(FileName), RemoteIPs = make_set(RemoteIP) by InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessCreationTime, DeviceName| Sentinel Table | Notes |
|---|---|
DeviceEvents | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
DeviceImageLoadEvents | Ensure this data connector is enabled |
DeviceLogonEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DeviceProcessEvents | Ensure this data connector is enabled |
DeviceRegistryEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task (e.g., schtasks.exe running a script to clean temporary files or update system settings) is flagged due to its rare execution pattern.
Filter/Exclusion: process.name == "schtasks.exe" && process.args contains "clean" || process.args contains "update"
Scenario: Admin-Initiated Scheduled Job for Patching
Description: A scheduled task initiated by an admin to apply Windows updates or patches using wusa.exe or msiexec.exe is flagged as suspicious.
Filter/Exclusion: process.name == "wusa.exe" || process.name == "msiexec.exe" && process.args contains "/quiet" || process.args contains "/passive"
Scenario: Backup Job Using Veeam or Acronis
Description: A backup task scheduled via schtasks.exe that runs Veeam or Acronis backup tools is flagged due to the rare process launch.
Filter/Exclusion: process.name == "schtasks.exe" && process.args contains "Veeam" || process.args contains "Acronis"
Scenario: User-Defined Scheduled Task for Reporting
Description: A user-created scheduled task that runs a PowerShell script for generating reports (e.g., powershell.exe -File report.ps1) is flagged due to its unusual execution pattern.
Filter/Exclusion: process.name == "powershell.exe" && process.args contains "report.ps1" || process.args contains "generate-report"
Scenario: System-Generated Task for Event Log Cleanup
Description: A system-generated task (e.g., eventvwr.exe or wevtutil.exe) that runs to clean up event logs is flagged due to the rare