Remote Task Creation/Update using Schtasks Process

Hunt Hypothesis

Adversaries may be using Schtasks to create or update remote scheduled tasks as part of establishing persistence and lateral movement within a network. SOC teams should proactively hunt for this behavior to identify potential compromise and disrupt adversary operations in their Azure Sentinel environment.

KQL Query

SecurityEvent
| where EventID == 4688 and NewProcessName == "C:\\Windows\\System32\\schtasks.exe" and CommandLine has " /s "
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SubjectUserName, CommandLine

Analytic Rule Definition

id: 9a5f5afa-8d85-11ec-b909-0242ac120002
name: Remote Task Creation/Update using Schtasks Process
description: |
   'The query detects a scheduled task, created/updated remotely, using the Schtasks process. 
   Threat actors are using scheduled tasks for establishing persistence and moving laterally through the network.'
severity: Low
requiredDataConnectors:
  - connectorId: SecurityEvents
    dataTypes:
      - SecurityEvent
tactics:
  - Persistence
relevantTechniques:
  - T1053
query: |
   SecurityEvent
   | where EventID == 4688 and NewProcessName == "C:\\Windows\\System32\\schtasks.exe" and CommandLine has " /s "
   | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SubjectUserName, CommandLine

Required Data Sources

Sentinel Table	Notes
`SecurityEvent`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Persistence
Technique: T1053 — T1053

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/SecurityEvent/RemoteScheduledTaskCreationUpdateviaSchtasks.yaml)

False Positive Guidance

Scenario: System Administrator Updates a Scheduled Task via Schtasks
Description: A legitimate system administrator uses the schtasks command to update a scheduled task that is part of routine system maintenance (e.g., log rotation, backup).
Filter/Exclusion: Check for the presence of known admin tools or user accounts with elevated privileges (e.g., Administrator, ServiceAccount, or Domain Admins). Use a filter like:
```
(ProcessUser == "Administrator") || (ProcessUser == "ServiceAccount")
```
Scenario: Scheduled Job Created by a Third-Party Monitoring Tool
Description: A third-party monitoring or compliance tool (e.g., Splunk, Nagios, or Microsoft Intune) creates a scheduled task to perform regular health checks or data collection.
Filter/Exclusion: Filter by the process name or user associated with the tool (e.g., splunkd.exe, nagios.exe, or intunewsm.exe). Example:
```
(ProcessName == "splunkd.exe") || (ProcessName == "nagios.exe")
```
Scenario: Automated Patch Management Task via Schtasks
Description: A patch management system (e.g., Microsoft SCCM, WSUS, or Qualys) creates or updates a scheduled task to apply patches during off-peak hours.
Filter/Exclusion: Filter by the process name or user associated with the patch management system (e.g., ccmexec.exe, wsus.exe, or qualyscmd.exe). Example:
```
(ProcessName == "ccmexec.exe") || (ProcessName == "wsus.exe")
```
Scenario: User-Initiated Task Creation for Personal Automation
Description: A regular user creates a