anavem.
Critical RiskWindowsLegitimateCommonly Abused
schtasks.exeSYSTEM UTILITY

schtasks.exe - Task Scheduler CLI Security Analysis

schtasks.exe is the Windows **Task Scheduler command-line** interface. It is a **primary persistence mechanism** used by attackers to schedule malicious code execution at boot, logon, or specific intervals. Scheduled task creation is present in nearly every Windows attack chain.

Risk Summary

CRITICAL priority for SOC triage. schtasks.exe is heavily abused for persistence. Any "/create" command requires **immediate investigation**. Monitor for task creation running from unusual locations, executing scripts, or targeting SYSTEM context.

Overview

What is schtasks.exe?

schtasks.exe manages Windows scheduled tasks from the command line.

Core Functions

Task Management:

  • Create scheduled tasks
  • Delete tasks
  • Query task status
  • Run tasks immediately

Security Significance

  • Persistence Favorite: Survives reboots
  • SYSTEM Execution: Tasks can run as SYSTEM
  • Time-Based Triggers: Execute at specific times
  • Remote Creation: Can target remote systems

Normal Behavior

Normal Behavior

Expected Process State

PropertyExpected Value
PathC:\Windows\System32\schtasks.exe
Parentcmd.exe, powershell.exe
UserAdministrator
ContextSystem administration

Legitimate Usage

schtasks /query
schtasks /run /tn "TaskName"

Common Locations

C:\Windows\System32\schtasks.exeC:\Windows\SysWOW64\schtasks.exe

Suspicious Indicators

Legitimate vs Suspicious

LEGITIMATE

Command:     schtasks /query
             schtasks /run /tn KnownTask
Context:     System administration
Task:        Known software update

SUSPICIOUS

Command:     schtasks /create /tn MalTask /tr "C:\temp\mal.exe"
             schtasks /create /sc ONLOGON /ru SYSTEM
             schtasks /create /s RemotePC /tn Backdoor
Context:     Unknown task creation
             Executing from unusual paths
             Running as SYSTEM unexpectedly

High-Risk Indicators

IndicatorRisk
/createHIGH - New task
/ru SYSTEMCRITICAL - SYSTEM context
/s <remote>CRITICAL - Remote creation
/sc ONLOGONHIGH - Persistence
/sc ONSTARTHIGH - Persistence

Abuse Techniques

Attack Techniques

Technique #1: Persistence via Scheduled Task (T1053.005)

Create Persistent Task:

schtasks /create /tn "SystemUpdate" /tr "C:\malware\payload.exe" /sc ONLOGON /ru SYSTEM

Technique #2: Remote Task Creation (T1053.005)

Create Task on Remote System:

schtasks /create /s TARGET /u DOMAIN\admin /p password /tn "Backdoor" /tr "C:\mal.exe" /sc DAILY

Technique #3: PowerShell Payload

schtasks /create /tn "Update" /tr "powershell -ep bypass -w hidden -c IEX(...)" /sc ONLOGON

Technique #4: Immediate Execution

schtasks /create /tn "RunNow" /tr "C:\payload.exe" /sc ONCE /st 00:00
schtasks /run /tn "RunNow"
schtasks /delete /tn "RunNow" /f

Detection Guidance

Detection Strategies

Priority #1: Task Creation

Sigma Rule:

title: Scheduled Task Creation
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    Image|endswith: '\schtasks.exe'
    CommandLine|contains: '/create'
  condition: selection
level: high

Priority #2: SYSTEM Context Creation

Process = "schtasks.exe" AND
CommandLine CONTAINS "/create" AND
CommandLine CONTAINS "/ru SYSTEM"
→ ALERT: CRITICAL

Priority #3: Remote Task Creation

Process = "schtasks.exe" AND
CommandLine CONTAINS "/s "
→ ALERT: CRITICAL - Remote task operation

Priority #4: Suspicious Execution Paths

Process = "schtasks.exe" AND
CommandLine CONTAINS "/create" AND
CommandLine CONTAINS ["%TEMP%", "\AppData\", "\Users\Public\"]
→ ALERT: CRITICAL

Remediation Steps

Protection and Remediation

Defense: Monitor Task Creation

Enable Event ID 4698 (Scheduled task created).

Defense: Restrict schtasks

Limit scheduled task creation to administrators.

If Compromise Suspected

  1. List all tasks: schtasks /query /v /fo LIST
  2. Check for unknown tasks
  3. Review task executables
  4. Delete malicious tasks
  5. Hunt for related persistence
schtasks /delete /tn "MaliciousTask" /f

Investigation Checklist

Investigation Checklist

  • Review full command line
  • Check for /create commands
  • Identify task executable paths
  • Check for SYSTEM context tasks
  • Review remote task operations
  • List all scheduled tasks
  • Verify task executables exist
  • Check task creation timestamps

MITRE ATT&CK Techniques

T1053.005T1021.002

Related Windows Files

EXCEL.EXEhigh

EXCEL.EXE is **Microsoft Excel**, the spreadsheet application and a **primary malware delivery vecto...

Commonly Abused
everything.exelow

Everything is a fast file search utility by Voidtools. Attackers may use it for rapid file discovery...

expressvpn.exemedium

ExpressVPN is a commercial VPN service client. While legitimate for privacy, it can be abused for C2...

hitmanpro.exelow

HitmanPro is a portable anti-malware scanner from Sophos. It uses cloud-based behavioral analysis to...

Last verified: January 18, 2026