Try in Splunk Security Cloud


This search looks for flags passed to schtasks.exe on the command-line that indicate a task was created via command like. This has been associated with the Dragonfly threat actor, and the SUNBURST attack against Solarwinds.

  • Type: TTP
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2020-12-17
  • Author: Bhavin Patel, Splunk
  • ID: d5af132c-7c17-439c-9d31-13d55340f36c


ID Technique Tactic
T1053.005 Scheduled Task Execution, Persistence, Privilege Escalation
T1053 Scheduled Task/Job Execution, Persistence, Privilege Escalation

| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe (Processes.process=*delete* OR Processes.process=*create*) by Processes.user Processes.process_name Processes.parent_process_name Processes.dest 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `scheduled_task_deleted_or_created_via_cmd_filter` 

Associated Analytic Story

How To Implement

You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the "process" field in the Endpoint data model.

Required field

  • _time
  • Processes.process
  • Processes.parent_process
  • Processes.process_name
  • Processes.user
  • Processes.parent_process_name
  • Processes.dest

Kill Chain Phase

  • Actions on Objectives

Known False Positives

Tasks should not be manually created via CLI, this is rarely done by admins as well


Risk Score Impact Confidence Message
56.0 70 80 A schedule task process $process_name$ with create or delete commandline $process$ in host $dest$


Test Dataset

Replay any dataset to Splunk Enterprise by using our tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 5