schtasks.exe
- File Path:
C:\Windows\SysWOW64\schtasks.exe
- Description: Task Scheduler Configuration Tool
Hashes
Type | Hash |
---|---|
MD5 | 478BEAEC1C3A9417272BC8964ADD1CEE |
SHA1 | AF506B15498F0DB1A4E350CC26F2A60D6C12146C |
SHA256 | 9A121ACF7686D2883E524332111D5E4BCC0C1A8E81136486FBA4CA65CA614407 |
SHA384 | 730439E553BE32858B61763A0494AA8C83819D5443A314FDDF3345C363678EBD1CDA2CA839C60BFD6C4F2CC4258C6CC1 |
SHA512 | 9BEE95AC2615C8C6DE71A03565806D990B946E86007485FE6333B3A27598F9FB1B45418D4619E1A21A5C9FAB6D5BBAD4DC05CFFDE2CD8A92F37941B26E30C936 |
SSDEEP | 3072:0+Am6DXkRLZKzdoR/xMefkcHbiBduCo5VJtKCc7GHphFZnUBnAat7d:0Y6MZQohlW/c7KCciJh7UBnz |
IMP | 918DBB01101BFA7F1042CCA9520D2A05 |
PESHA1 | 681BB387AF6C4914A4450992A76EAFD23131DF7D |
PE256 | 3E2F62CC190933AB35F31534040F606F21B1313AE497497569DCA2342AD275C5 |
Runtime Data
Usage (stdout):
SCHTASKS /parameter [arguments]
Description:
Enables an administrator to create, delete, query, change, run and
end scheduled tasks on a local or remote system.
Parameter List:
/Create Creates a new scheduled task.
/Delete Deletes the scheduled task(s).
/Query Displays all scheduled tasks.
/Change Changes the properties of scheduled task.
/Run Runs the scheduled task on demand.
/End Stops the currently running scheduled task.
/ShowSid Shows the security identifier corresponding to a scheduled task name.
/? Displays this help message.
Examples:
SCHTASKS
SCHTASKS /?
SCHTASKS /Run /?
SCHTASKS /End /?
SCHTASKS /Create /?
SCHTASKS /Delete /?
SCHTASKS /Query /?
SCHTASKS /Change /?
SCHTASKS /ShowSid /?
Usage (stderr):
ERROR: Invalid argument/option - '--help'.
Type "SCHTASKS /QUERY /?" for usage.
Loaded Modules:
Path |
---|
C:\Windows\SYSTEM32\ntdll.dll |
C:\Windows\System32\wow64.dll |
C:\Windows\System32\wow64cpu.dll |
C:\Windows\System32\wow64win.dll |
C:\Windows\SysWOW64\schtasks.exe |
Signature
- Status: Signature verified.
- Serial:
33000002EC6579AD1E670890130000000002EC
- Thumbprint:
F7C2F2C96A328C13CDA8CDB57B715BDEA2CBD1D9
- Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: schtasks.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.19041.1 (WinBuild.160101.0800)
- Product Version: 10.0.19041.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 32-bit
File Scan
- VirusTotal Detections: 0/73
- VirusTotal Link: https://www.virustotal.com/gui/file/9a121acf7686d2883e524332111d5e4bcc0c1a8e81136486fba4ca65ca614407/detection
File Similarity (ssdeep match)
File | Score |
---|---|
C:\Windows\SysWOW64\schtasks.exe | 86 |
Possible Misuse
The following table contains possible examples of schtasks.exe
being misused. While schtasks.exe
is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
Source | Source File | Example | License |
---|---|---|---|
sigma | godmode_sigma_rule.yml | - 'schtasks* /create *AppData' # Scheduled task creation pointing to AppData |
DRL 1.0 |
sigma | godmode_sigma_rule.yml | - '\schtasks.exe' |
DRL 1.0 |
sigma | win_rare_schtasks_creations.yml | title: Rare Schtasks Creations |
DRL 1.0 |
sigma | sysmon_suspicious_remote_thread.yml | - '\schtasks.exe' |
DRL 1.0 |
sigma | file_event_win_win_shell_write_susp_directory.yml | - '\schtasks.exe' |
DRL 1.0 |
sigma | image_load_suspicious_dbghelp_dbgcore_load.yml | - '\schtasks.exe' |
DRL 1.0 |
sigma | proc_creation_win_abusing_windows_telemetry_for_persistence.yml | - 'schtasks' |
DRL 1.0 |
sigma | proc_creation_win_apt_actinium_persistence.yml | - 'schtasks' |
DRL 1.0 |
sigma | proc_creation_win_apt_hafnium.yml | - 'schtasks' |
DRL 1.0 |
sigma | proc_creation_win_apt_slingshot.yml | Image\|endswith: '\schtasks.exe' |
DRL 1.0 |
sigma | proc_creation_win_monitoring_for_persistence_via_bits.yml | - http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html |
DRL 1.0 |
sigma | proc_creation_win_multiple_suspicious_cli.yml | - schtasks.exe |
DRL 1.0 |
sigma | proc_creation_win_office_shell.yml | - '\schtasks.exe' |
DRL 1.0 |
sigma | proc_creation_win_outlook_shell.yml | - '\schtasks.exe' |
DRL 1.0 |
sigma | proc_creation_win_powersploit_empire_schtasks.yml | title: Default PowerSploit and Empire Schtasks Persistence |
DRL 1.0 |
sigma | proc_creation_win_powersploit_empire_schtasks.yml | - https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/userland/schtasks.py |
DRL 1.0 |
sigma | proc_creation_win_powersploit_empire_schtasks.yml | - https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/elevated/schtasks.py |
DRL 1.0 |
sigma | proc_creation_win_powersploit_empire_schtasks.yml | Image\|endswith: '\schtasks.exe' |
DRL 1.0 |
sigma | proc_creation_win_script_event_consumer_spawn.yml | - '\schtasks.exe' |
DRL 1.0 |
sigma | proc_creation_win_shell_spawn_susp_program.yml | - '\schtasks.exe' |
DRL 1.0 |
sigma | proc_creation_win_stordiag_execution.yml | description: Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe |
DRL 1.0 |
sigma | proc_creation_win_stordiag_execution.yml | - '\schtasks.exe' |
DRL 1.0 |
sigma | proc_creation_win_susp_disable_raccine.yml | - 'schtasks' |
DRL 1.0 |
sigma | proc_creation_win_susp_schtasks_disable.yml | Image\|endswith: \schtasks.exe |
DRL 1.0 |
sigma | proc_creation_win_susp_schtasks_env_folder.yml | title: Suspicius Schtasks From Env Var Folder |
DRL 1.0 |
sigma | proc_creation_win_susp_schtasks_env_folder.yml | Image\|endswith: 'schtasks.exe' |
DRL 1.0 |
sigma | proc_creation_win_susp_schtasks_parent.yml | Image\|endswith: 'schtasks.exe' |
DRL 1.0 |
sigma | proc_creation_win_susp_schtasks_pattern.yml | Image\|endswith: 'schtasks.exe' |
DRL 1.0 |
sigma | proc_creation_win_susp_schtasks_user_temp.yml | description: schtasks.exe create task from user AppData\Local\Temp |
DRL 1.0 |
sigma | proc_creation_win_susp_schtasks_user_temp.yml | schtasks: |
DRL 1.0 |
sigma | proc_creation_win_susp_schtasks_user_temp.yml | Image\|endswith: 'schtasks.exe' |
DRL 1.0 |
sigma | proc_creation_win_susp_schtasks_user_temp.yml | condition: schtasks and option and not 1 of filter_* |
DRL 1.0 |
sigma | proc_creation_win_susp_schtask_creation.yml | Image\|endswith: '\schtasks.exe' |
DRL 1.0 |
sigma | proc_creation_win_susp_schtask_creation_temp_folder.yml | Image\|endswith: '\schtasks.exe' |
DRL 1.0 |
sigma | proc_creation_win_susp_servu_process_pattern.yml | - '\schtasks.exe' |
DRL 1.0 |
sigma | proc_creation_win_susp_shell_spawn_by_java.yml | - '\schtasks.exe' |
DRL 1.0 |
sigma | proc_creation_win_susp_shell_spawn_by_java_keytool.yml | - '\schtasks.exe' |
DRL 1.0 |
sigma | proc_creation_win_susp_shell_spawn_from_winrm.yml | - '*\schtasks.exe' |
DRL 1.0 |
sigma | proc_creation_win_susp_spoolsv_child_processes.yml | - \schtasks.exe |
DRL 1.0 |
sigma | proc_creation_win_webshell_detection.yml | - '\schtasks.exe' |
DRL 1.0 |
sigma | proc_creation_win_win10_sched_task_0day.yml | Image\|endswith: '\schtasks.exe' |
DRL 1.0 |
sigma | win_remote_schtask.yml | title: Remote Schtasks Creation |
DRL 1.0 |
LOLBAS | Schtasks.yml | Name: Schtasks.exe |
|
LOLBAS | Schtasks.yml | - Command: schtasks /create /sc minute /mo 1 /tn "Reverse shell" /tr c:\some\directory\revshell.exe |
|
LOLBAS | Schtasks.yml | - Command: schtasks /create /s targetmachine /tn "MyTask" /tr c:\some\directory\notevil.exe /sc daily |
|
LOLBAS | Schtasks.yml | - Path: c:\windows\system32\schtasks.exe |
|
LOLBAS | Schtasks.yml | - Path: c:\windows\syswow64\schtasks.exe |
|
LOLBAS | Stordiag.yml | Description: Once executed, Stordiag.exe will execute schtasks.exe systeminfo.exe and fltmc.exe - if stordiag.exe is copied to a folder and an arbitrary executable is renamed to one of these names, stordiag.exe will execute it. |
|
LOLBAS | Stordiag.yml | - IOC: systeminfo.exe, fltmc.exe or schtasks.exe being executed outside of their normal path of c:\windows\system32\ or c:\windows\syswow64\ |
|
malware-ioc | misp-dukes-operation-ghost-event.json | "description": "Utilities such as [at](https://attack.mitre.org/software/S0110) and [schtasks](https://attack.mitre.org/software/S0111), along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on. Scheduling a task on a remote system typically required being a member of the Administrators group on the the remote system. (Citation: TechNet Task Scheduler Security)\n\nAn adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote Execution as part of Lateral Movement, to gain SYSTEM privileges, or to run a process under the context of a specified account.", |
© ESET 2014-2018 |
malware-ioc | misp_invisimole.json | "description": "Utilities such as [at](https://attack.mitre.org/software/S0110) and [schtasks](https://attack.mitre.org/software/S0111), along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on. Scheduling a task on a remote system typically required being a member of the Administrators group on the remote system. (Citation: TechNet Task Scheduler Security)\n\nAn adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote Execution as part of Lateral Movement, to gain SYSTEM privileges, or to run a process under the context of a specified account.", |
© ESET 2014-2018 |
malware-ioc | oceanlotus-rtf_ocx_campaigns.misp.event.json | "description": "Utilities such as at and schtasks, along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on. Scheduling a task on a remote system typically required being a member of the Administrators group on the the remote system. (Citation: TechNet Task Scheduler Security)\n\nAn adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote Execution as part of Lateral Movement, to gain SYSTEM privileges, or to run a process under the context of a specified account.\n\nDetection: Monitor scheduled task creation from common utilities using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Monitor process execution from the <code>svchost.exe<\/code> in Windows 10 and the Windows Task Scheduler <code>taskeng.exe<\/code> for older versions of Windows. (Citation: Twitter Leoloobeek Scheduled Task) If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in <code>%systemroot%\\System32\\Tasks<\/code> for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\n\nConfigure event logging for scheduled task creation and changes by enabling the \"Microsoft-Windows-TaskScheduler\/Operational\" setting within the event logging service. (Citation: TechNet Forum Scheduled Task Operational Setting) Several events will then be logged on scheduled task activity, including: (Citation: TechNet Scheduled Task Events)\n\n*Event ID 106 - Scheduled task registered\n*Event ID 140 - Scheduled task updated\n*Event ID 141 - Scheduled task removed\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. (Citation: TechNet Autoruns) Look for changes to tasks that do not correlate with known software, patch cycles, etc. Suspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data.\n\nMonitor processes and command-line arguments for actions that could be taken to create tasks. Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data.\n\nPlatforms: Windows\n\nData Sources: File monitoring, Process command-line parameters, Process monitoring, Windows event logs\n\nEffective Permissions: Administrator, SYSTEM, User\n\nPermissions Required: Administrator, SYSTEM, User\n\nRemote Support: Yes\n\nContributors: Travis Smith, Tripwire, Leo Loobeek, @leoloobeek, Alain Homewood, Insomnia Security", |
© ESET 2014-2018 |
atomic-red-team | index.md | - Atomic Test #1: Creating W32Time similar named service using schtasks [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | windows-index.md | - Atomic Test #1: Creating W32Time similar named service using schtasks [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | T1036.004.md | <blockquote>Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description.(Citation: TechNet Schtasks)(Citation: Systemd Service Units) Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones. | MIT License. © 2018 Red Canary |
atomic-red-team | T1036.004.md | - Atomic Test #1 - Creating W32Time similar named service using schtasks | MIT License. © 2018 Red Canary |
atomic-red-team | T1036.004.md | ## Atomic Test #1 - Creating W32Time similar named service using schtasks | MIT License. © 2018 Red Canary |
atomic-red-team | T1036.004.md | Creating W32Time similar named service (win32times) using schtasks just like threat actor dubbed “Operation Wocao” | MIT License. © 2018 Red Canary |
atomic-red-team | T1036.004.md | schtasks /create /ru system /sc daily /tr “cmd /c powershell.exe -ep bypass -file c:\T1036.004_NonExistingScript.ps1” /tn win32times /f | MIT License. © 2018 Red Canary |
atomic-red-team | T1036.004.md | schtasks /query /tn win32times | MIT License. © 2018 Red Canary |
atomic-red-team | T1036.004.md | schtasks /tn win32times /delete /f | MIT License. © 2018 Red Canary |
atomic-red-team | T1053.002.md | Note: The at.exe command line utility has been deprecated in current versions of Windows in favor of schtasks .</blockquote> |
MIT License. © 2018 Red Canary |
atomic-red-team | T1053.005.md | <blockquote>Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task. |
MIT License. © 2018 Red Canary |
atomic-red-team | T1053.005.md | The deprecated at utility could also be abused by adversaries (ex: At (Windows)), though at.exe can not access tasks created with schtasks or the Control Panel. |
MIT License. © 2018 Red Canary |
atomic-red-team | T1053.005.md | schtasks /create /tn “T1053_005_OnLogon” /sc onlogon /tr “cmd.exe /c calc.exe” | MIT License. © 2018 Red Canary |
atomic-red-team | T1053.005.md | schtasks /create /tn “T1053_005_OnStartup” /sc onstart /ru system /tr “cmd.exe /c calc.exe” | MIT License. © 2018 Red Canary |
atomic-red-team | T1053.005.md | schtasks /delete /tn “T1053_005_OnLogon” /f >nul 2>&1 | MIT License. © 2018 Red Canary |
atomic-red-team | T1053.005.md | schtasks /delete /tn “T1053_005_OnStartup” /f >nul 2>&1 | MIT License. © 2018 Red Canary |
atomic-red-team | T1053.005.md | SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time} | MIT License. © 2018 Red Canary |
atomic-red-team | T1053.005.md | SCHTASKS /Delete /TN spawn /F >nul 2>&1 | MIT License. © 2018 Red Canary |
atomic-red-team | T1053.005.md | SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN “Atomic task” /TR “#{task_command}” /SC daily /ST #{time} | MIT License. © 2018 Red Canary |
atomic-red-team | T1053.005.md | SCHTASKS /Delete /S #{target} /U #{user_name} /P #{password} /TN “Atomic task” /F >nul 2>&1 | MIT License. © 2018 Red Canary |
atomic-red-team | T1053.005.md | schtasks.exe /Create /F /TN “ATOMIC-T1053.005” /TR “cmd /c start /min "" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\SOFTWARE\ATOMIC-T1053.005).test)))” /sc daily /st #{time} | MIT License. © 2018 Red Canary |
atomic-red-team | T1053.005.md | schtasks /delete /tn “ATOMIC-T1053.005” /F >nul 2>&1 | MIT License. © 2018 Red Canary |
atomic-red-team | T1490.md | Use schtasks.exe to disable the System Restore (SR) scheduled task | MIT License. © 2018 Red Canary |
atomic-red-team | T1490.md | schtasks.exe /Change /TN “\Microsoft\Windows\SystemRestore\SR” /disable | MIT License. © 2018 Red Canary |
atomic-red-team | T1490.md | schtasks.exe /Change /TN “\Microsoft\Windows\SystemRestore\SR” /enable >nul 2>&1 | MIT License. © 2018 Red Canary |
atomic-red-team | T1548.002.md | schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I | MIT License. © 2018 Red Canary |
atomic-red-team | T1548.002.md | Target: \system32\svchost.exe via \system32\schtasks.exe | MIT License. © 2018 Red Canary |
signature-base | apt_apt34.yar | $x6 = “schtasks /create /F /ru SYSTEM /sc minute /mo 1 /tn” wide | CC BY-NC 4.0 |
signature-base | apt_fin7_backdoor.yar | $x3 = “schtasks /Create /f /tn "GoogleUpdateTaskMachineSystem" /tr "wscript.exe” ascii nocase | CC BY-NC 4.0 |
signature-base | apt_fin7_backdoor.yar | $x4 = “schtasks /Delete /F /TN ""GoogleUpdateTaskMachineCore” ascii nocase | CC BY-NC 4.0 |
signature-base | apt_fin7_backdoor.yar | $x5 = “schtasks /Delete /F /TN "GoogleUpdateTaskMachineCore” ascii nocase | CC BY-NC 4.0 |
signature-base | apt_irontiger.yar | $s3 = “C:\Windows\System32\cmd.exe /C schtasks /create /tn "\Microsoft\Windows\PLA\System\Microsoft Windows" /tr “ fullword ascii | CC BY-NC 4.0 |
signature-base | apt_irontiger.yar | $s4 = “C:\Windows\System32\cmd.exe /C schtasks /create /tn "Microsoft Windows" /tr “ fullword ascii | CC BY-NC 4.0 |
signature-base | apt_khrat.yar | $x1 = “CreateObject("WScript.Shell").Run "schtasks /create /sc MINUTE /tn” ascii | CC BY-NC 4.0 |
signature-base | apt_lazarus_dec17.yar | $x4 = “$cmdSchedule = ‘schtasks /create /tn "ProxyServerUpdater"” ascii | CC BY-NC 4.0 |
signature-base | apt_oilrig.yar | $s6 = “schtasks /create /F /sc minute /mo “ fullword ascii | CC BY-NC 4.0 |
signature-base | apt_oilrig.yar | $two1 = “& SchTasks /Delete /F /TN “ ascii wide | CC BY-NC 4.0 |
signature-base | apt_oilrig.yar | $two3 = “vbs = "cmd.exe /c SchTasks” ascii wide | CC BY-NC 4.0 |
signature-base | apt_oilrig.yar | $x2 = “schtasks /create /F /ru SYSTEM /sc minute /mo 10 /tn” | CC BY-NC 4.0 |
signature-base | apt_oilrig_oct17.yar | $x1 = “cmd /c schtasks /query /tn TimeUpdate > NUL 2>&1” ascii | CC BY-NC 4.0 |
signature-base | apt_oilrig_oct17.yar | $x2 = “schtasks /create /sc minute /mo 0002 /tn TimeUpdate /tr” fullword ascii | CC BY-NC 4.0 |
signature-base | apt_rancor.yar | $x3 = “CreateObject("Wscript.Shell").Run "schtasks /create” ascii | CC BY-NC 4.0 |
signature-base | crime_badrabbit.yar | $x1 = “schtasks /Create /SC ONCE /TN viserion_%u /RU SYSTEM /TR "%ws" /ST” fullword wide | CC BY-NC 4.0 |
signature-base | crime_badrabbit.yar | $x2 = “schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "%ws /C Start \"\" \"%wsdispci.exe\"” fullword wide | CC BY-NC 4.0 |
signature-base | crime_cn_campaign_njrat.yar | $x2 = “schtasks /create /sc minute /mo 1 /tn Server /tr “ fullword wide | CC BY-NC 4.0 |
signature-base | crime_fireball.yar | $x2 = “schtasks /Create /SC HOURLY /MO %d /ST 00:%02d:00 /TN "%s" /TR "%s" /RU "SYSTEM"” fullword wide | CC BY-NC 4.0 |
signature-base | crime_nopetya_jun17.yar | $s5 = “schtasks %ws/Create /SC once /TN "" /TR "%ws" /ST %02d:%02d” fullword wide | CC BY-NC 4.0 |
signature-base | gen_recon_indicators.yar | $s15 = “schtasks.exe /create “ ascii nocase | CC BY-NC 4.0 |
signature-base | gen_rottenpotato.yar | $x3 = “/C schtasks.exe /Create /TN omg /TR” fullword wide | CC BY-NC 4.0 |
signature-base | mal_ransom_lorenz.yar | $x1 = “process call create "cmd.exe /c schtasks /Create /F /RU System /SC ONLOGON “ ascii fullword | CC BY-NC 4.0 |
signature-base | mal_ransom_lorenz.yar | $s1 = “process call create "cmd.exe /c schtasks /Create /F “ ascii fullword | CC BY-NC 4.0 |
signature-base | thor-hacktools.yar | $s0 = “objShell.Run "schtasks /change /TN wDw00t /disable",,True” fullword ascii | CC BY-NC 4.0 |
signature-base | thor-hacktools.yar | $s3 = “objShell.Run "schtasks /run /TN wDw00t",,True” fullword ascii | CC BY-NC 4.0 |
signature-base | thor-hacktools.yar | $s6 = “a.WriteLine ("schtasks /delete /f /TN wDw00t")” fullword ascii | CC BY-NC 4.0 |
signature-base | thor-hacktools.yar | $s11 = “Set objExecObject = objShell.Exec("cmd /c schtasks /query /XML /TN wDw00t")” fullword ascii | CC BY-NC 4.0 |
signature-base | thor-hacktools.yar | $s12 = “objShell.Run "schtasks /create /TN wDw00t /sc monthly /tr """+biatchFile+"” ascii | CC BY-NC 4.0 |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
schtasks commands
Schedules commands and programs to run periodically or at a specific time, adds and removes tasks from the schedule, starts and stops tasks on demand, and displays and changes scheduled tasks.
[!NOTE] The schtasks.exe tool performs the same operations as Scheduled Tasks in Control Panel. You can use these tools together and interchangeably.
Required permissions
-
To schedule, view, and change all tasks on the local computer, you must be a member of the Administrators group.
-
To schedule, view, and change all tasks on the remote computer, you must be a member of the Administrators group on the remote computer, or you must use the /u parameter to provide the credentials of an Administrator of the remote computer.
-
You can use the /u parameter in a /create or /change operation if the local and remote computers are in the same domain, or if the local computer is in a domain that the remote computer domain trusts. Otherwise, the remote computer can’t authenticate the user account specified, and it can’t verify that the account is a member of the Administrators group.
-
The task you plan to run must have the appropriate permission; these permissions vary by task. By default, tasks run with the permissions of the current user of the local computer, or with the permissions of the user specified by the /u parameter, if one is included. To run a task with permissions of a different user account or with system permissions, use the /ru parameter.
Syntax
schtasks change
schtasks create
schtasks delete
schtasks end
schtasks query
schtasks run
Parameters
Parameter | Description |
---|---|
schtasks change | Changes one or more of the following properties of a task:<ul><li>The program that the task runs (/tr)</li><li>The user account under which the task runs (/ru)</li><li>The password for the user account (/rp)</li><li>Adds the interactive-only property to the task (/it)</li></ul> |
schtasks create | Schedules a new task. |
schtasks delete | Deletes a scheduled task. |
schtasks end | Stops a program started by a task. |
schtasks query | Displays tasks scheduled to run on the computer. |
schtasks run | Starts a scheduled task immediately. The run operation ignores the schedule, but uses the program file location, user account, and password saved in the task to run the task immediately. |
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.