detecting-malicious-scheduled-tasks-with-sysmon

Solid

Detect malicious scheduled task creation and modification using Sysmon Event IDs 1 (Process Create for schtasks.exe), 11 (File Create for task XML), and Windows Security Event 4698/4702. The analyst correlates task creation with suspicious parent processes, public directory paths, and encoded command arguments to identify persistence and lateral movement via scheduled tasks. Activates for requests involving scheduled task detection, Sysmon persistence hunting, or T1053.005 Scheduled Task/Job analysis.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 97/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
96
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Detecting Malicious Scheduled Tasks with Sysmon ## Overview Adversaries abuse Windows Task Scheduler (schtasks.exe, at.exe) for persistence (T1053.005) and lateral movement. Sysmon Event ID 1 captures schtasks.exe process creation with full command-line arguments, while Event ID 11 captures task XML files written to C:\Windows\System32\Tasks\. Windows Security Event 4698 logs task registration details. This skill covers building detection rules that correlate these events to identify malicious scheduled tasks created from suspicious paths, with encoded payloads, or targeting remote systems. ## When to Use - When investigating security incidents that require detecting malicious scheduled tasks with sysmon - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Sysmon installed with a detection-focused configuration (e.g., SwiftOnSecurity or Olaf Hartong) - Windows Event Log forwarding to SIEM (Splunk, Elastic, or Sentinel) - PowerShell ScriptBlock Logging enabled (Event 4104) ## Steps 1. Configure Sysmon to log Event IDs 1, 11, 12, 13 with task-related filters 2. Build detection rules for schtasks.exe /create with suspicious arguments 3. Correlate Event 4698 (task registered) with Sysmon Event 1 (process create) 4. Hunt for tasks executing from public directories or with encoded comman...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

hunting-for-suspicious-scheduled-tasks

Hunt for adversary persistence and execution via Windows scheduled tasks by analyzing task creation events, suspicious task properties, and unusual execution patterns that indicate T1053.005 abuse.

12,642 Updated today
mukul975
AI & Automation Featured

hunting-for-scheduled-task-persistence

Hunt for adversary persistence via Windows Scheduled Tasks by analyzing task creation events, suspicious task actions, and unusual scheduling patterns.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-t1055-process-injection-with-sysmon

Detect process injection techniques (T1055) including classic DLL injection, process hollowing, and APC injection by analyzing Sysmon events for cross-process memory operations, remote thread creation, and anomalous DLL loading patterns.

12,642 Updated today
mukul975
AI & Automation Solid

detecting-credential-dumping-techniques

Detect LSASS credential dumping, SAM database extraction, and NTDS.dit theft using Sysmon Event ID 10, Windows Security logs, and SIEM correlation rules

12,642 Updated today
mukul975
AI & Automation Featured

detecting-suspicious-powershell-execution

Detect suspicious PowerShell execution patterns including encoded commands, download cradles, AMSI bypass attempts, and constrained language mode evasion.

12,642 Updated today
mukul975