Question Analysis

DeviceProcessEvents | where FileName =~ "schtasks.exe" | distinct FileName

DeviceProcessEvents | where ProcessCommandLine has 'schtasks' | project ProcessCommandLine, InitiatingProcessCommandLine

DeviceProcessEvents | where FileName == 'schtasks.exe' and (ProcessCommandLine contains 'create' or ProcessCommandLine contains '/CREATE' or ProcessCommandLine contains '/create') | project DeviceName, AccountName, AccountDomain, InitiatingProcessParentFileName, ProcessCommandLine, Timestamp | distinct DeviceName, AccountName, AccountDomain, InitiatingProcessParentFileName, ProcessCommandLine, Timestamp

DeviceProcessEvents | where FileName =~ "schtasks.exe" | summarize count() by FileName

DeviceProcessEvents | where ProcessCommandLine has "schtasks" or FileName =~ "schtasks.exe" | summarize count() by FileName | project FileName, Count=count_

DeviceProcessEvents | where FileName in ('schtasks.exe', 'powershell.exe', 'wmic.exe', 'schtasks') | where ProcessCommandLine contains ('register') and (ProcessCommandLine contains ('logon') or ProcessCommandLine contains ('startup') or ProcessCommandLine contains ('boot')) | project TimeGenerated, FileName, ProcessCommandLine, InitiatingProcessFileName, DeviceName, ProcessId, InitiatingProcessId | order by TimeGenerated desc

DeviceProcessEvents | where FileName in ('schtasks.exe', 'taskeng.exe') | where InitiatingProcessCommandLine contains 'create' or InitiatingProcessCommandLine contains 'logon' or InitiatingProcessCommandLine contains 'startup' | project DeviceName, AccountName, FileName, ProcessCommandLine, ProcessCreationTime

DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName =~ "schtasks.exe" | where ProcessCommandLine contains "/create" | where ProcessCommandLine matches regex @"(?i)/sc\s+(onlogon|onstart)" | summarize by UtilityName = FileName

// Search for executions that indicate scheduled-task creation/registration DeviceProcessEvents | where isnotempty(ProcessCommandLine) or isnotempty(FileName) // Look for known scheduling utilities / patterns and PowerShell cmdlets/flags used to create tasks | where ProcessCommandLine has_any ("schtasks","/create","/Create","Register-ScheduledTask","New-ScheduledTask","-AtLogon","-AtStartup","schtasks.exe","at ") or FileName has_any ("schtasks","at","powershell","pwsh") | extend exe = tolower(tostring(FileName)), cmd = tostring(ProcessCommandLine) | summarize Count = count(), SampleCommands = make_list(cmd, 10), SampleDevices = make_list(DeviceName, 10) by exe | order by Count desc // (Optional) If you want raw events for deeper triage, uncomment the block below: // DeviceProcessEvents // | where isnotempty(ProcessCommandLine) or isnotempty(FileName) // | where ProcessCommandLine has_any ("schtasks","/create","/Create","Register-ScheduledTask","New-ScheduledTask","-AtLogon","-AtStartup","schtasks.exe","at ") // or FileName has_any ("schtasks","at","powershell","pwsh") // | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine // | order by TimeGenerated desc

union DeviceProcessEvents, DeviceEvents, DeviceFileEvents | where isnotempty(ProcessCommandLine) or isnotempty(FileName) | where ( tolower(FileName) contains "schtasks" or tolower(ProcessCommandLine) contains "schtasks" or tolower(FileName) contains "at.exe" or tolower(ProcessCommandLine) contains "\bat " or tolower(ProcessCommandLine) contains "register-scheduledtask" or tolower(ProcessCommandLine) contains "new-scheduledtask" or tolower(ProcessCommandLine) contains "register-scheduledtask" or tolower(ProcessCommandLine) contains "/sc onlogon" or tolower(ProcessCommandLine) contains "/sc onstart" ) | project TimeGenerated, DeviceName, Account = coalesce(AccountName, InitiatingProcessAccountName), FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | extend matched = case( tolower(FileName) contains "schtasks" or tolower(ProcessCommandLine) contains "schtasks", "schtasks.exe", tolower(FileName) contains "at.exe" or tolower(ProcessCommandLine) contains " at ", "at.exe", tolower(ProcessCommandLine) contains "register-scheduledtask" or tolower(ProcessCommandLine) contains "new-scheduledtask", "PowerShell ScheduledTask cmdlets", "other" ) | summarize Count = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by matched, DeviceName, Account, FileName, ProcessCommandLine | order by Count desc | take 100

DeviceProcessEvents | where FileName has_cs "schtasks" or ProcessCommandLine has_cs "schtasks" or FileName has_cs "at.exe" or ProcessCommandLine has_cs "at.exe" | where ProcessCommandLine has_cs "/create" or ProcessCommandLine has_cs "ONLOGON" or ProcessCommandLine has_cs "ONSTART" or ProcessCommandLine has_cs "\bat \b" | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessId, InitiatingProcessId | extend Utility = case( FileName has_cs "schtasks" or ProcessCommandLine has_cs "schtasks","schtasks.exe", FileName has_cs "at.exe" or ProcessCommandLine has_cs "at.exe","at.exe", "unknown") | where Utility != "unknown" | order by Timestamp desc | take 100

DeviceProcessEvents | where (ProcessCommandLine contains "schtasks" or InitiatingProcessCommandLine contains "schtasks" or FileName contains "schtasks.exe" or InitiatingProcessFileName contains "schtasks.exe") | project TimeGenerated, DeviceName, DeviceId, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCommandLine, FileName | summarize Count = count() by InitiatingProcessFileName, ProcessCommandLine, InitiatingProcessCommandLine | where Count > 0 | order by Count desc

DeviceProcessEvents | where InitiatingProcessFileName has_any ("schtasks.exe", "schtasks") or ProcessCommandLine has_any ("schtasks.exe", "schtasks") | where (InitiatingProcessCommandLine contains "/Create" or ProcessCommandLine contains "/Create") | where (InitiatingProcessCommandLine contains "/SC ONLOGON" or InitiatingProcessCommandLine contains "/SC ONSTART" or ProcessCommandLine contains "/SC ONLOGON" or ProcessCommandLine contains "/SC ONSTART") | project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCommandLine | sort by TimeGenerated desc | take 100

DeviceProcessEvents | where FileName contains "schtasks.exe" | where ProcessCommandLine contains "logon" or ProcessCommandLine contains "startup" | summarize count() by FileName, ProcessCommandLine, DeviceName, AccountName, ProcessCreationTime | order by ProcessCreationTime desc

DeviceProcessEvents | where FileName has "schtasks.exe" | where ProcessCommandLine has_any ("create", "at logon", "at startup") | summarize count() by FileName, ProcessCommandLine | project FileName, ProcessCommandLine, count_

DeviceProcessEvents | where ActionType =~ "ProcessCreated" or ActionType =~ "CreateProcess" | where FileName in~ ("schtasks.exe", "at.exe") | where ProcessCommandLine has_any ("/create", "/Create", "AtLogon", "OnStart") | project TimeGenerated, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine

DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName in~ ("schtasks.exe", "at.exe") | where ProcessCommandLine has_any ("create", "onstart", "onlogon", "onboot") | project TimeGenerated, DeviceName, AccountDomain, AccountName, FileName, ProcessCommandLine | order by TimeGenerated desc

// Scheduled task creation or modification that runs at logon or start-up DeviceProcessEvents | where TimeGenerated >= ago(7d) // <-- time filter will be overridden by the function call | where FileName =~ "schtasks.exe" // Look for switches that indicate a new or modified task and that the schedule is logon/start-up | where ProcessCommandLine has_any ("/create", "/change") | where ProcessCommandLine contains "/sc" and ( ProcessCommandLine contains "onlogon" or ProcessCommandLine contains "onstart" or ProcessCommandLine contains "onstartup") | project TimeGenerated, DeviceName, Account = strcat(AccountDomain, "\\", AccountName), FileName, ProcessCommandLine, ParentProcess = InitiatingProcessFileName, ParentCmd = InitiatingProcessCommandLine, FolderPath, MD5, SHA256 | order by TimeGenerated desc

DeviceProcessEvents | where FileName =~ "schtasks.exe" | where ProcessCommandLine has "create" | project TimeGenerated, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName | order by TimeGenerated desc

DeviceProcessEvents | where FileName =~ "schtasks.exe" | summarize EventCount = count() by FileName | project FileName, EventCount

DeviceProcessEvents | where TimeGenerated between (startofday(ago(30d)) .. now()) // replace with desired timerange | where FileName =~ "schtasks.exe" | project TimeGenerated, DeviceName, InitiatingProcessFileName, ProcessCommandLine, InitiatingProcessAccountName | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine | order by count_ desc

DeviceProcessEvents | where FileName in ("schtasks.exe", "at.exe") | where ProcessCommandLine has "/create" | project Timestamp, DeviceName, FileName, ProcessCommandLine | distinct FileName