T1053.005: Scheduled Task
| View on MITRE ATT&CK | T1053.005 |
|---|---|
| Tactic(s) | Persistence, Execution, Privilege Escalation |
Data from MITRE ATT&CK®:
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task.
The deprecated at utility could also be abused by adversaries (ex: At), though at.exe can not access tasks created with schtasks or the Control Panel.
An adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and/or to run a process under the context of a specified account (such as SYSTEM). Similar to System Binary Proxy Execution, adversaries have also abused the Windows Task Scheduler to potentially mask one-time execution under signed/trusted system processes.(Citation: ProofPoint Serpent)
Adversaries may also create "hidden" scheduled tasks (i.e. Hide Artifacts) that may not be visible to defender tools and manual queries used to enumerate tasks. Specifically, an adversary may hide a task from schtasks /query and the Task Scheduler by deleting the associated Security Descriptor (SD) registry value (where deletion of this value must be completed using SYSTEM permissions).(Citation: SigmaHQ)(Citation: Tarrask scheduled task) Adversaries may also employ alternate methods to hide tasks, such as altering the metadata (e.g., Index value) within associated registry keys.(Citation: Defending Against Scheduled Task Attacks in Windows Environments)
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
CACTUS Ransomware: Prickly New Variant Evades Detection
This report by Kroll outlines TTPs and IoCs associated with CACTUS ransomware actors.
APT40 Advisory - PRC MSS tradecraft in action
This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...
Threat Group FIN7 Targets the U.S. Automotive Industry
In late 2023, BlackBerry analysts discovered a targeted attack by FIN7 on a U.S. automotive manufacturer, exploiting IT employees with higher ...
KAPEKA A novel backdoor spotted in Eastern Europe
This report from researchers at WithSecure unveils a novel backdoor: 'Kapeka'. Kapeka has been used against victims in Eastern Europe ...
From OneNote to RansomNote: An Ice Cold Intrusion
This case report from The DFIR Report describes an intrusion which started with a malicious OneNote attachment. Opening the OneNote file led to ...
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
This article by researchers at Trend Micro discusses an Advanced Persistent Threat (APT) group they name Earth Krahang who have been observed ...
The Updated APT Playbook: Tales from the Kimsuky threat actor group
This article by researchers at Rapid7 discusses recent activity by North Korean intrusion set 'Kimsuky'. Kimsuky is primarily focused on ...
Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally
This Cybersecurity Advisory by CISA with US and international partners outlines activity which they link to APT29 (also known as The Dukes, Cozy ...
Unveiling Earth Kapre aka RedCurl’s Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence
The blog entry details an investigation by Trend Micro's Managed Extended Detection and Response (MDR) team into a cyberespionage incident ...
REDCURL - The pentest you didn't know about
This report by researchers at Group-IB outlines activity by a group they call RedCurl. The report identifies victimology and motivation (corporate ...
Evasive Panda leverages Monlam Festival to target Tibetans
This report by researchers at ESET describes a campaign which they attribute to the China-aligned APT Evasive Panda. The report describes a ...
TODDLERSHARK: ScreenConnect Vulnerability Exploited to Deploy BABYSHARK Variant
Blog post from Kroll which describes the exploitation of vulnerabilities in ConnectWise ScreenConnect to deploy TODDLERSHARK malware which the ...
Earth Preta Campaign Uses DOPLUGS to Target Asia
This blog post by researchers from Trend Micro describes the use of a customized PlugX backdoor which they name DOPLUGS. The DOPLUGS malware uses ...
RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale
This report from Recorded Future's Insikt Group outlines activity by the Red Hotel intrusion set. RedHotel is identified as a prominent Chinese ...
Mitigations for this technique
MITRE ATT&CK Mitigations
User Account Management
Manage the creation, modification, use, and permissions associated to user accounts.Privileged Account Management
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.Audit
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.Operating System Configuration
Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.How to detect this technique
MITRE ATT&CK Data Components
Process Creation (Process)
The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)Network Traffic Flow (Network Traffic)
Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)Scheduled Job Creation (Scheduled Job)
Initial construction of a new scheduled job (ex: Windows EID 4698 or /var/log cron logs)File Modification (File)
Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)Command Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )Windows Registry Key Creation (Windows Registry)
Initial construction of a new Registry Key (ex: Windows EID 4656 or Sysmon EID 12)File Creation (File)
Initial construction of a new file (ex: Sysmon EID 11)Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
Scheduled Task Executing Base64 Encoded Commands From Registry
Scheduled task Local
Scheduled Task Startup Script
Scheduled task Remote
Powershell Cmdlet Scheduled Task
PowerShell Modify A Scheduled Task
WMI Invoke-CimMethod Scheduled Task
Task Scheduler via VBA
Scheduled Task ("Ghost Task") via Registry Key Manipulation
Import XML Schedule Task with Hidden Attribute
Sigma Detections for this Technique
Scheduled Task Executing Payload from Registry
Schtasks From Suspicious Folders
Uncommon One Time Only Scheduled Task At 00:00
Scheduled Task Executed Uncommon LOLBIN
Suspicious Schtasks From Env Var Folder
Suspicious Scheduled Task Update
Suspicious Schtasks Schedule Type With High Privileges
Scheduled Task Executed From A Suspicious Location
Suspicious Schtasks Schedule Types
OilRig APT Registry Persistence
Suspicious Command Patterns In Scheduled Task Creation
Powershell Create Scheduled Task
Scheduled Task Creation Via Schtasks.EXE
Scheduled Task Executing Encoded Payload from Registry
Potential Persistence Via Microsoft Compatibility Appraiser
Suspicious Scheduled Task Name As GUID
Schtasks Creation Or Modification With SYSTEM Privileges
Suspicious Schtasks Execution AppData Folder
HackTool - Default PowerSploit/Empire Scheduled Task Creation
Suspicious Modification Of Scheduled Tasks
Suspicious Add Scheduled Task Parent
Important Scheduled Task Deleted/Disabled
Potential Registry Persistence Attempt Via Windows Telemetry
Persistence and Execution at Scale via GPO Scheduled Task
Suspicious Scheduled Task Creation Involving Temp Folder
Scheduled TaskCache Change by Uncommon Program
Suspicious Scheduled Task Creation
Potential Persistence Via Powershell Search Order Hijacking - Task
Suspicious Scheduled Task Creation via Masqueraded XML File
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.