Skip to main content
Splunk Lantern

Schtasks.exe registering binaries or scripts to run from a public directory

Schtasks.exe is Windows' Scheduled Tasks tool. This search identifies schtasks.exe registering a binary or script to run from a public directory. These public directories include users\public, \programdata\, and \windows\temp. Ransomware authors have been seen to use schtasks.exe to achieve persistence in compromised environments. 

Data required 

Endpoint data

Procedure

  1. Content developed by the Splunk Security Research team requires the use of consistent, normalized data provided by the Common Information Model (CIM). For information on installing and using the CIM, see the Common Information Model documentation. To run this search, your deployment needs to be ingesting information on process that include the name of the process responsible for the changes from your endpoints, and populating the Endpoint Process data model node.
  2. Run the following search. You can optimize it by specifying an index and adjusting the time range.
| tstats allow_old_summaries=true count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE ("Processes.process_name"=schtasks.exe ("Processes.process"=*\\users\\public\\* OR "Processes.process"=*\\programdata\\* OR "Processes.process"=*windows\\temp*) "Processes.process"=*/create*) BY "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id" 
| rename "Processes.*" AS "*" 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
| tstats allow_old_summaries=true count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE ("Processes.process_name"=schtasks.exe ("Processes.process"=*\\users\\public\\* OR "Processes.process"=*\\programdata\\* OR "Processes.process"=*windows\\temp*) "Processes.process"=*/create*) BY "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"  Query the Endpoint.Processes data model object to search for schtasks.exe registering binaries or scripts to run from users\public, \programdata\ or \windows\temp. Sort first by destination, then user, parent process, process name, process, process ID, and parent process ID.
| rename "Processes.*" AS "*"  Rename data model fields for better readability.
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)
Convert these times into readable strings.

Next steps

When examining your results, review the binary or script in the command line for legitimacy and assess whether it is an approved binary or script or not. You should also capture the binary or script in question and analyze it for further behaviors, as well as identify its source and containing the endpoint.

False positives from this search may be present. You should filter as needed by parent process or command line argument.

If you receive clear positive results from this search, start your incident response process for dealing with a ransomware infection. You should check for recent backups for the systems affected by the infection.

Another tactic you may want to search for is attackers using schtasks.exe to force a reboot.

Finally, you might be interested in other processes associated with the Detecting a ransomware attack use case.