Windows Temporarily Scheduled Task Creation and Deletion

This detection focuses on identifying the creation and subsequent deletion of scheduled tasks within a short timeframe on Windows systems. Attackers may abuse the scheduled task functionality to execute malicious code, establish persistence, or perform other unauthorized actions. By quickly deleting the task after execution, they attempt to evade detection and remove traces of their activity. This behavior is often associated with attackers trying to proxy malicious execution via the schedule service and then cleaning up to avoid leaving forensic artifacts. The detection logic looks for the sequence of task creation followed by deletion within a five-minute window. This activity is captured via Windows Security Event Logs when the “Audit Other Object Access Events” setting is enabled.

Attack Chain

1. An attacker gains initial access to the target system. (T1053.005)
2. The attacker uses legitimate Windows utilities like schtasks.exe or PowerShell cmdlets to create a new scheduled task.
3. The scheduled task is configured to execute a malicious payload, such as a script or executable. The payload could be staged on disk or downloaded from a remote server.
4. The scheduled task executes the malicious payload, achieving the attacker’s objective (e.g., establishing persistence, executing commands, or deploying malware).
5. The attacker, or the malicious payload itself, uses schtasks.exe or PowerShell to delete the scheduled task.
6. The deletion occurs within a short time (less than 5 minutes) after task creation to minimize the window for detection.
7. The attacker may also delete associated log files or other artifacts to further cover their tracks.
8. The attacker achieves their objective, such as maintaining persistence, escalating privileges, or exfiltrating data.

Impact

Successful exploitation can lead to persistent access, arbitrary code execution, privilege escalation, and data compromise. While the specific impact varies depending on the attacker’s objectives, the ability to execute code via scheduled tasks provides a significant foothold within the compromised system. This can lead to lateral movement, data exfiltration, or further compromise of the network.

Recommendation

• Enable “Audit Other Object Access Events” in Windows Security Event Logs to generate the necessary events for detection.
• Deploy the Sigma rule “Temporarily Scheduled Task Creation” to your SIEM to detect rapid task creation and deletion.
• Investigate any alerts generated by the Sigma rule to determine if the activity is legitimate or malicious.
• Monitor scheduled task creation events for unusual task names, command-line arguments, or user accounts.
• Implement application control policies to restrict the execution of unauthorized executables and scripts.