Skill

hunting-for-suspicious-scheduled-tasks

Hunts adversary persistence (T1053.005) in Windows scheduled tasks via event analysis (4698/4699), Sysmon, PowerShell enumeration, and Splunk queries for suspicious creations/executions.

Powershell

security

npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skills

Tool Access

This skill uses the workspace's default tool permissions.

Preview

- When proactively hunting for persistence mechanisms in Windows environments

Supporting Assets

LICENSEassets/template.mdreferences/api-reference.mdreferences/standards.mdreferences/workflows.mdscripts/agent.pyscripts/process.py

SKILL.md

Similar Skills

applying-brand-guidelines

41.6k

Applies Acme Corporation brand guidelines including colors, fonts, layouts, and messaging to generated PowerPoint, Excel, and PDF documents.

3 files

anthropics-claude-cookbooks

creating-financial-models

41.6k

Builds DCF models with sensitivity analysis, Monte Carlo simulations, and scenario planning for investment valuation and risk assessment.

2 files

anthropics-claude-cookbooks

analyzing-financial-statements

41.6k

Calculates profitability (ROE, margins), liquidity (current ratio), leverage, efficiency, and valuation (P/E, EV/EBITDA) ratios from financial statements in CSV, JSON, text, or Excel for investment analysis.

2 files

anthropics-claude-cookbooks

Stats

Stars5748

Forks783

Last CommitApr 6, 2026

Actions

View Source View Plugin View on GitHub View README

Hunting for Suspicious Scheduled Tasks

When to Use

When proactively hunting for persistence mechanisms in Windows environments
After detecting schtasks.exe or at.exe usage in process creation logs
When investigating malware that survives reboots and user logoffs
During incident response to enumerate all persistence on compromised systems
When Windows Security Event ID 4698 (Scheduled Task Created) fires for unusual tasks

Prerequisites

Windows Security Event ID 4698/4699/4702 (Task Created/Deleted/Updated)
Sysmon Event ID 1 for schtasks.exe process creation with command lines
Windows Task Scheduler operational log (Microsoft-Windows-TaskScheduler/Operational)
PowerShell logging for Register-ScheduledTask cmdlet usage
Access to Task Scheduler XML definitions on endpoints

Workflow

Enumerate All Scheduled Tasks: Collect complete task inventory from target systems using schtasks /query /fo CSV /v or Get-ScheduledTask PowerShell cmdlet.
Monitor Task Creation Events: Track Event ID 4698 for new task creation, correlating with the creating process and user account context.
Analyze Task Actions: Examine what each task executes. Flag tasks running scripts (PowerShell, cmd, wscript), binaries from user-writable paths (TEMP, AppData, Downloads), or encoded/obfuscated commands.
Check Task Triggers: Review trigger conditions. Tasks triggered by system startup, user logon, or short intervals (1-5 minutes) warrant investigation.
Identify Hidden or Disguised Tasks: Hunt for tasks with names mimicking legitimate Windows tasks, tasks with Security Descriptor modifications hiding them from standard enumeration, or tasks stored in non-standard registry locations.
Correlate with Process Execution: Match scheduled task execution events with process creation logs to confirm what actually runs.
Baseline and Diff: Compare current task inventory against known-good baselines to identify new, modified, or unexpected tasks.

Detection Queries

Splunk -- Scheduled Task Creation

index=wineventlog EventCode=4698
| spath output=TaskName path=EventData.TaskName
| spath output=TaskContent path=EventData.TaskContent
| where NOT match(TaskName, "(?i)(\\\\Microsoft\\\\|\\\\Windows\\\\)")
| table _time Computer SubjectUserName TaskName TaskContent

Splunk -- Schtasks.exe Suspicious Usage

index=sysmon EventCode=1 Image="*\\schtasks.exe"
| where match(CommandLine, "(?i)/create")
| where match(CommandLine, "(?i)(powershell|cmd|wscript|cscript|mshta|rundll32|regsvr32|http|https|\\\\temp\\\\|\\\\appdata\\\\)")
| table _time Computer User CommandLine ParentImage

KQL -- Microsoft Sentinel

SecurityEvent
| where EventID == 4698
| extend TaskName = tostring(EventData.TaskName)
| extend TaskContent = tostring(EventData.TaskContent)
| where TaskContent has_any ("powershell", "cmd.exe", "wscript", "http://", "https://", "\\Temp\\", "\\AppData\\")
| project TimeGenerated, Computer, Account, TaskName, TaskContent

Common Scenarios

Cobalt Strike Persistence: Creates scheduled tasks via schtasks.exe to execute PowerShell download cradles at user logon intervals.
Ransomware Staging: Task created to run encryption payload at a future time, often during off-hours for maximum impact.
Hidden Task via SD Modification: Attacker modifies Security Descriptor of scheduled task to hide it from normal enumeration while maintaining execution.
COM Handler Abuse: Task uses COM handler rather than direct executable path, making action inspection more complex.
Lateral Movement via Tasks: Remote scheduled task creation using schtasks /create /s REMOTE_HOST for execution on other systems.

Output Format

Hunt ID: TH-SCHTASK-[DATE]-[SEQ]
Host: [Hostname]
Task Name: [Full task path]
Action: [Command/Script executed]
Trigger: [Startup/Logon/Timer/Event]
Created By: [User account]
Created From: [Local/Remote]
Creation Time: [Timestamp]
Run As: [Execution account]
Risk Level: [Critical/High/Medium/Low]