From cybersecurity-skills
Analyzes Windows scheduled tasks for adversary persistence (T1053.005) by inspecting task creation events, suspicious actions, triggers, and hidden tasks.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills:hunting-for-suspicious-scheduled-tasksThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
- When proactively hunting for persistence mechanisms in Windows environments
schtasks /query /fo CSV /v or Get-ScheduledTask PowerShell cmdlet.index=wineventlog EventCode=4698
| spath output=TaskName path=EventData.TaskName
| spath output=TaskContent path=EventData.TaskContent
| where NOT match(TaskName, "(?i)(\\\\Microsoft\\\\|\\\\Windows\\\\)")
| table _time Computer SubjectUserName TaskName TaskContent
index=sysmon EventCode=1 Image="*\\schtasks.exe"
| where match(CommandLine, "(?i)/create")
| where match(CommandLine, "(?i)(powershell|cmd|wscript|cscript|mshta|rundll32|regsvr32|http|https|\\\\temp\\\\|\\\\appdata\\\\)")
| table _time Computer User CommandLine ParentImage
SecurityEvent
| where EventID == 4698
| extend TaskName = tostring(EventData.TaskName)
| extend TaskContent = tostring(EventData.TaskContent)
| where TaskContent has_any ("powershell", "cmd.exe", "wscript", "http://", "https://", "\\Temp\\", "\\AppData\\")
| project TimeGenerated, Computer, Account, TaskName, TaskContent
schtasks /create /s REMOTE_HOST for execution on other systems.Hunt ID: TH-SCHTASK-[DATE]-[SEQ]
Host: [Hostname]
Task Name: [Full task path]
Action: [Command/Script executed]
Trigger: [Startup/Logon/Timer/Event]
Created By: [User account]
Created From: [Local/Remote]
Creation Time: [Timestamp]
Run As: [Execution account]
Risk Level: [Critical/High/Medium/Low]
npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skills4plugins reuse this skill
First indexed Jun 5, 2026
Hunts for adversary persistence via Windows scheduled tasks (T1053.005) by analyzing Event ID 4698/4699, suspicious properties, triggers, and execution patterns in Sysmon/Splunk logs.
Hunts adversary persistence (T1053.005) in Windows scheduled tasks via event analysis (4698/4699), Sysmon, PowerShell enumeration, and Splunk queries for suspicious creations/executions.
Hunts for adversary persistence via Windows Scheduled Tasks by analyzing task creation events, suspicious actions, and unusual scheduling patterns.