hunting-for-suspicious-scheduled-tasks

# Hunting for Suspicious Scheduled Tasks ## When to Use - When proactively hunting for persistence mechanisms in Windows environments - After detecting schtasks.exe or at.exe usage in process creation logs - When investigating malware that survives reboots and user logoffs - During incident response to enumerate all persistence on compromised systems - When Windows Security Event ID 4698 (Scheduled Task Created) fires for unusual tasks ## Prerequisites - Windows Security Event ID 4698/4699/4702 (Task Created/Deleted/Updated) - Sysmon Event ID 1 for schtasks.exe process creation with command lines - Windows Task Scheduler operational log (Microsoft-Windows-TaskScheduler/Operational) - PowerShell logging for Register-ScheduledTask cmdlet usage - Access to Task Scheduler XML definitions on endpoints ## Workflow 1. **Enumerate All Scheduled Tasks**: Collect complete task inventory from target systems using `schtasks /query /fo CSV /v` or `Get-ScheduledTask` PowerShell cmdlet. 2. **Monitor Task Creation Events**: Track Event ID 4698 for new task creation, correlating with the creating process and user account context. 3. **Analyze Task Actions**: Examine what each task executes. Flag tasks running scripts (PowerShell, cmd, wscript), binaries from user-writable paths (TEMP, AppData, Downloads), or encoded/obfuscated commands. 4. **Check Task Triggers**: Review trigger conditions. Tasks triggered by system startup, user logon, or short intervals (1-5 minutes) warrant investiga...