Introduction

If you’ve ever used Windows Task Scheduler, you know it’s a handy tool—it lets you automate things like updates, backups, or running scripts at specific times. But here’s the thing: attackers love it too.

Hackers often use scheduled tasks to run their malware in the background, stay on a system even after a reboot, or come back later without raising alarms. Since it’s a built-in Windows feature, it doesn’t always stand out right away.

That’s why monitoring scheduled task creation is a big deal in security. If you’re running a SOC, doing threat hunting, or managing endpoint detection, spotting weird or suspicious tasks can help you catch an attack before it does real damage.

In this post, we’ll go through:

  • What a scheduled task is and how it works on Windows.

  • How attackers use it to stay hidden or execute malicious files.

  • Some known CVEs and techniques tied to this kind of abuse.

  • A real-world example (PoC) where we simulate a malicious task.

  • How you can detect it in Logstail, trigger an alert, and respond automatically using Logstail SOAR.

What is a Scheduled Task in Windows?

Windows has a built-in tool called Task Scheduler that lets you automate things on your system. You can set it to run programs, scripts, or commands at specific times, on system startup, or even when a certain event happens.

Why is it useful?

For system administrators, it’s super helpful for handling routine jobs like:

  • Running backup scripts every night

  • Installing updates

  • Cleaning up temp files

  • Launching monitoring tools on boot

Basically, anything repetitive that you don’t want to trigger manually—Task Scheduler can do it for you automatically.

What does it look like?

If you open Task Scheduler on your Windows machine, you’ll see a list of tasks that are set up already—some from Windows itself, others possibly from installed apps or scripts.

Windows Task Scheduler UI

Each task has:

  • A trigger (when it runs)

  • An action (what it does)

  • And sometimes conditions (only run if on AC power, etc.)

The flip side

While it’s a great tool for legit automation, attackers know this too—and they use it to run their own malicious payloads without needing user interaction. That’s where things start to get dangerous… and where detection becomes key.

How Adversaries Exploit Scheduled Tasks

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a framework created by MITRE Corporation that organizes and categorizes the actions (called tactics and techniques) that attackers use when compromising computer systems.

MITRE ATT&CK Mapping

Scheduled tasks aren’t just for sysadmins—attackers love them too. Once they’re inside a machine, creating a scheduled task is a low-noise, high-reward way to:

  • Persist across reboots

  • Escalate privileges

  • Or silently execute malicious code over and over

It’s especially sneaky because it looks like normal system behavior unless you’re actively monitoring for it.

Common Abuse Scenarios

  • A malware dropper sets a scheduled task to run its payload every 5 minutes.

  • A malicious PowerShell script is hidden in a temp directory and triggered at user login.

  • A task is created to run a Living-off-the-Land Binary (LOLBin) like rundll32 or mshta, to avoid antivirus detection.

These tools are all commonly abused:

  • cmd.exe – command line access

  • powershell.exe / pwsh – powerful scripting and download capability

  • regsvr32.exe, rundll32.exe – for loading DLLs

  • mshta.exe – runs HTML applications (HTA), often used for initial payloads

  • certutil.exe – used to download files from the internet

  • bitsadmin.exe – another file downloader

  • wscript.exe, cscript.exe – for running VBS/JS scripts

 

Example Attack Scenario

Let’s say an attacker gains access to a system. Instead of just dropping malware and risking instant detection, they do this:

schtasks /create /tn “Updater” /tr “cmd.exe /c C:\Users\Public\payload.bat” /sc minute /mo 10
 
 
What this command do:
Part Meaning
schtasks The Windows command-line tool used to manage scheduled tasks.
/create Creates a new task.
/tn "Updater" Gives the task the name Updater.
/tr "cmd.exe /c C:\Users\Public\payload.bat" Runs cmd.exe to execute the payload.bat script. The /c flag tells CMD to run and close.
/sc minute Sets the schedule to run every minute.
/mo 10 Modifies the frequency to run every 10 minutes.

 

Notable Real-World CVEs

  • CVE-2020-0796 (SMBGhost): While this CVE targets a vulnerability in SMBv3, attackers often paired it with scheduled tasks to maintain persistence after exploiting a system.

  • CVE-2019-0841: This flaw allowed attackers to change permissions on a scheduled task and escalate privileges, giving them full control over the system.

 

Proof of Concept (PoC)

  • Walkthrough creating a malicious scheduled task using CMD. (We will use the above command)

  • Example payload: no specific code. (e.g: Here an attacker could create a script for a reverse shell)

First, we create a payload.bat file in this path: C:\Users\Public\

payload

Then, we execute the command:

We can also view this scheduled task directly in the Task Scheduler interface.

task scheduler UI2 payload

Now we will jump to more interesting things like logs, monitoring, alerting and automation with Logstail.  

Logs in Logstail Platform

To monitor for suspicious scheduled task activity, we need visibility into what’s happening on each endpoint. That’s where Logstail’s unified agents come in.

On every endpoint, we install a dedicated agent that collects all kinds of event data—security logs, process creation events, network activity, and more. These agents are highly customizable: you can fine-tune them to send only the data you care about, or reduce ingestion if you’re managing resource limits or storage.

All this data gets sent to the Logstail Platform, where you can search, visualize, and analyze it in real time. One of the most useful features is the Discover view. This is where you can dig into raw logs and apply custom queries to find exactly what you’re looking for.

What We’re Looking For: Scheduled Task Creation

Windows logs scheduled task creation under Security Event ID 4698. This event tells us when a new task is created, along with details about its name, location, and what it’s supposed to run.

To catch potentially malicious tasks, we can use a Lucene query in Logstail Platform to filter for:

  • Suspicious file paths (e.g., tasks created in AppData, Temp, Downloads, Public)

  • Suspicious commands or tools used in the task (e.g., cmd.exe, powershell, regsvr32, etc.)

Here’s the query we’ll use:

winlog.channel:Security AND (event.code:4698 AND (winlog.event_data.TaskContent:(*\\AppData\\Local\\Temp\\* OR *\\AppData\\Roaming\\* OR *\\Users\\Public\\* OR *\\WINDOWS\\Temp\\* OR *C\:\\Temp\\* OR *\\Desktop\\* OR *\\Downloads\\* OR *\\Temporary\ Internet* OR *C\:\\ProgramData\\* OR *C\:\\Perflogs\\*)) AND (winlog.event_data.TaskContent:(*regsvr32* OR *rundll32* OR *cmd.exe* OR *cmd* OR *powershell* OR *pwsh* OR *mshta* OR *wscript* OR *cscript* OR *certutil* OR *bitsadmin* OR *bash.exe* OR *bash\ * OR *scrcons* OR *wmic\ * OR *wmic.exe* OR *forfiles* OR *scriptrunner* OR *hh.exe*)))

  Scheduled Task Logs  

Alert in Logstail SOAR

Once the suspicious scheduled task is logged and picked up by our Lucene query, the next step is automated alerting — and this is where Logstail SOAR really shines.

What’s powerful about Logstail is that you don’t have to build everything from scratch. The platform already includes over 3,000 preconfigured detection rules, all based on the open Sigma detection framework. These rules are ready to use and cover a wide range of attacker techniques, including the one we’re focusing on here.

In fact, there’s already a predefined detection rule called “Suspicious Scheduled Task Creation” in Logstail. It uses the exact Lucene query we demonstrated earlier — filtering for Windows Event ID 4698 with suspicious file paths and known malicious command-line tools.

What Happens When It’s Triggered?

When this rule fires, it raises an alert in the Logstail SOAR dashboard, giving you full context:

  • Alert Name: Suspicious Scheduled Task Creation

  • Agent Name: The machine where it was detected

  • Severity: (The severity of the specific Alert) – High

  • Timestamp: When the event occurred

  • View Log: Direct link to the full raw event with the Details (!) feature.

SOAR Schedule Task Creation alert

Also, we can check the log details:

SOAR Schedule Task Creation alert details  

Automated Response with Logstail SOAR Playbook

Detecting a threat is only half the battle — the faster you can respond, the better your chances of stopping the attack before it spreads. That’s where Logstail SOAR playbooks come in.

A playbook is a set of automated actions triggered by specific alerts. Once the alert for Suspicious Scheduled Task Creation is fired, Logstail can automatically run a predefined playbook to investigate, contain, and respond — without waiting for manual intervention.

Playbook Action Demonstration: Disabling the Malicious Scheduled Task and Forensics

In this PoC, the automated playbook we’ll demonstrate does two key things:

  1. Disables the malicious scheduled task
    As soon as the alert is triggered, Logstail SOAR sends a command to the affected endpoint, through the Logstail Agent, to disable the scheduled task — stopping any further execution without removing it, giving the analyst a chance to review it safely.

  2. Performs forensic collection
    The playbook also collects relevant forensic data, including:

      • Local IP info

      • Shadow Copies

      • Open network connections

      • AutoRun registry entries

      • Installed drivers

      • Active and local user accounts

      • Active RDP sessions

      • Running processes

      • Security events from the Windows Event Log

      • And many more — depending on what you need

This gives your team fast visibility into what’s happening on the compromised system — helping you pivot quickly if the threat is spreading or has multiple stages.

Disabling the Malicious Task and Forensics

Disabling the Malicious Scheduled Task

   
Before the Playbook Action                                                                              After the Playbook Action  

Forensics

After the playbook’s forensic actions have run, you can navigate to the Logstail SIEM to download the collected forensic artifacts for further analysis. Logstail provides a wide range of forensic data, and for deeper investigation, you can correlate these findings with log events directly in the Discover view. This allows you to reconstruct the full timeline and understand exactly what happened on the endpoint.

Here is the “Available Files” from Forensics action, you can download from Logstail SIEM.

But this is just the beginning — with Logstail SOAR, you can automate much more, such as:

  • Deleting the malicious executable from suspicious directories like AppData, Temp, or Public

  • Clearing related registry entries

  • Isolating the host from the network

  • Killing processes linked to the scheduled task

  • Also, custom playbooks and kill-switches

 

Final Thoughts

Scheduled tasks are a legitimate and powerful feature in Windows — but in the hands of an attacker, they can be just as powerful for persistence and stealth. That’s why it’s so important to not just log this kind of activity, but to actively monitor, detect, and respond to it.

Using Logstail, you can take a proactive approach:

  • Detect suspicious task creation in real time

  • Automate response with SOAR playbooks

  • Collect forensic data without delay

  • Continuously hunt for signs of compromise across your endpoints

This kind of visibility and automation turns reactive security into proactive defence — and that’s how you stay ahead of modern threats.

 

Want a closer look at what Logstail can do?

We’d love to show you around. Whether you want to explore preconfigured detection rules, customize playbooks, or dive deeper into forensic capabilities:

Contact Our Experts  or Sign Up for Free

0 0 votes
Article Rating