splunk_sysmon_T1053_SchTasks.txt

host=* "Schtasks.exe" AND (CommandLine="*\/create*" OR CommandLine="*\/change*")
| eval Time=strftime(_time, "%Y/%m/%d %H:%M:%S")
| stats values(Time) AS Time values(ComputerName) AS Computers values(User) AS User values(ProcessId) AS ProcessId values(ParentProcessId) AS ParentProcessId values(IntegrityLevel) AS IntegrityLevel values(OriginalFileName) AS OriginalFileName values(Image) AS ImageFileName values(CommandLine) AS CommandLine values(ParentImage) As ParentImage values(ParentCommandLine) AS ParentCommandLine dc(CommandLine) AS ThreatCount by Image,ComputerName
| eval Commands = lower(CommandLine)
| rex field=Commands mode=sed "s/\"//g"
| eval T1053_SchTasks=if(match((Commands),"(?i)Schtasks"),7,0)
| eval Persistence_c= 'T1053_SchTasks'
| eval  Persistence=Persistence_c*ThreatCount
| addtotals fieldname=Score Persistence
| table Time Computers User ProcessId ParentProcessId IntegrityLevel Score Persistence T1053_SchTasks OriginalFileName ImageFileName Commands ParentImage ParentCommandLine
| sort Score desc