Stats
Actions
Tags
From cybersec-toolkit
Hunts for adversary persistence via Windows Scheduled Tasks by analyzing creation events, suspicious actions, and unusual patterns. For threat hunting, IR, and security assessments.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersec-toolkit:hunting-for-scheduled-task-persistenceThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
- When proactively hunting for indicators of hunting for scheduled task persistence in the environment
| Concept | Description |
|---|---|
| T1053.005 | Scheduled Task |
| T1053.003 | Cron |
| T1053.002 | At |
| Tool | Purpose |
|---|---|
| CrowdStrike Falcon | EDR telemetry and threat detection |
| Microsoft Defender for Endpoint | Advanced hunting with KQL |
| Splunk Enterprise | SIEM log analysis with SPL queries |
| Elastic Security | Detection rules and investigation timeline |
| Sysmon | Detailed Windows event monitoring |
| Velociraptor | Endpoint artifact collection and hunting |
| Sigma Rules | Cross-platform detection rule format |
Hunt ID: TH-HUNTIN-[DATE]-[SEQ]
Technique: T1053.005
Host: [Hostname]
User: [Account context]
Evidence: [Log entries, process trees, network data]
Risk Level: [Critical/High/Medium/Low]
Confidence: [High/Medium/Low]
Recommended Action: [Containment, investigation, monitoring]
npx claudepluginhub 26zl/cybersec-toolkit --plugin cybersec-toolkitHunts for adversary persistence via Windows Scheduled Tasks by analyzing creation events, suspicious actions, and unusual patterns. For threat hunting, IR, and security assessments.
Hunts for adversary persistence via Windows Scheduled Tasks by analyzing task creation events, suspicious actions, and unusual scheduling patterns.
Hunts adversary persistence (T1053.005) in Windows scheduled tasks via event analysis (4698/4699), Sysmon, PowerShell enumeration, and Splunk queries for suspicious creations/executions.