Detection rules › Splunk
Schedule Task with HTTP Command Arguments
The following analytic detects the creation of scheduled tasks on Windows systems that include HTTP command arguments, using Windows Security EventCode 4698. It identifies tasks registered via schtasks.exe or TaskService with HTTP in their command arguments. This behavior is significant as it often indicates malware activity or the use of Living off the Land binaries (lolbins) to download additional payloads. If confirmed malicious, this activity could lead to data exfiltration, malware propagation, or unauthorized access to sensitive information, necessitating immediate investigation and mitigation.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1053 Scheduled Task/Job |
| Persistence | T1053 Scheduled Task/Job |
| Privilege Escalation | T1053 Scheduled Task/Job |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4698 | A scheduled task was created. |
Stages and Predicates
Stage 1: search
search EventCode=4698
Stage 2: xmlkv
xmlkv
Stage 3: search
search Arguments="*http*"
Stage 4: stats
stats BY dest, Task_Name, Command, Author, Enabled, Hidden, Arguments
Stage 5: search
search
Stage 6: search
search
Stage 7: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Arguments | in |
|
EventCode | eq |
|
Neighbors
Stricter alternatives (narrower than this rule)
The rules below may be useful if you find the current rule is too noisy / lacks specificity.
- Windows Hidden Schedule Task Settings (adds 1 filter)
- Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr (adds 1 filter)
- WinEvent Scheduled Task Created to Spawn Shell (adds 1 filter)
- WinEvent Scheduled Task Created Within Public Path (adds 1 filter)
Broader alternatives (more inclusive than this rule)
These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.
- Suspicious Scheduled Task Creation (drops 1 filter this rule applies)