Scheduled Task Creation with schtasks.exe for Persistence
Detects the use of schtasks.exe to create or modify scheduled tasks, a basic persistence mechanism widely used by malware and attackers to maintain access across system reboots. Essential for basic host triage during Incident Response to identify residual persistence artifacts on compromised endpoints.
Persistencescheduled-taskpersistenceschtaskspost-exploitationT1053.005
FDR Beginnerby darkreitor 2 min read
Query
#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)schtasks\.exe/
| CommandLine=/(?i)(\/create|\/sc|\/tr|\/tn)/
| groupBy([ComputerName, UserName, CommandLine], function=count())
| sort(_count, order=desc, limit=20)Explanation
| Pipe | Description | |||
|---|---|---|---|---|
#repo="base_sensor" #event_simpleName=ProcessRollup2 | Filters process execution events in FDR endpoint telemetry | |||
FileName=/(?i)schtasks.exe/ | Selects only executions of schtasks.exe, the native Windows tool for scheduled task management | |||
| `CommandLine=/(?i)(/create\ | /sc\ | /tr\ | /tn)/` | Filters invocations containing arguments for creating and configuring new scheduled tasks |
groupBy([ComputerName, UserName, CommandLine], function=count()) | Groups by host, user, and full command line to identify repeated or unusual patterns | |||
sort(_count, order=desc, limit=20) | Sorts by descending frequency, showing the 20 most recurrent cases to prioritize analysis |
Adjustable Variables
Reduce false positives by excluding known command lines from legitimate software such as antivirus or management agents. Add a filter on ParentBaseFileName to detect creation from unusual processes such as cmd.exe or powershell.exe, which increases detection relevance.