detection.wiki

ATT&CK coverage › Technique

Scheduled Task/Job: Scheduled Task T1053.005

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and Windows Management Instrumentation (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.

Events covered

15 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon1Process creation
Sysmon12RegistryEvent (Object create and delete)
Sysmon13RegistryEvent (Value Set)
Security-Auditing4688A new process has been created.
Security-Auditing4698A scheduled task was created.
Security-Auditing4699A scheduled task was deleted.
Security-Auditing4700A scheduled task was enabled.
Security-Auditing4701A scheduled task was disabled.
Security-Auditing4702A scheduled task was updated.
Security-Auditing5136A directory service object was modified.
Security-Auditing5145A network share object was checked to see whether client can be granted desired access.
PowerShell4104Creating Scriptblock text (MessageNumber of MessageTotal).
TaskScheduler129Task Scheduler launch task "Name" , instance "TaskName" with process ID Path.
TaskScheduler200Task Scheduler launched action "TaskName" in instance "ActionName" of task "Name".
TaskScheduler201Task Scheduler successfully completed task "Name" , instance "TaskInstanceId" , action "TaskName" .

Authoring guide

Patterns shared across the 48 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (29 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
Image22ends_with 21, eq 2, starts_with 1, match 1\schtasks.exe, C:\Windows\System32\schtasks.exe, C:\Windows\SysWOW64\schtasks.exe, C:\Program Files\Microsoft Office\root\Integration\Integrator.exe, C:\Windows\
CommandLine22match 21, ends_with 1NT AUT, /change , /create , powershell, FromBase64String
OriginalFileName11eq 11schtasks.exe
EventID8eq 5, in 34698, 4702, 4700, 4699, 4104
ParentImage5ends_with 2, eq 2, match 1\powershell.exe, \pwsh.exe, C:\WINDOWS\System32\svchost.exe, C:\Program Files (x86)\Microsoft..., C:\Program Files\Microsoft Office\root\integration\integrator.exe
EventType4eq 4scheduled-task-created, scheduled-task-deleted, deleted
user3ends_with 1, match 1, eq 1$, AUTORI, AUTHORI, "SYSTEM"
ParentCommandLine3match 3, ends_with 1-k netsvcs, -s Schedule, unattended.ini, \svchost.exe -k netsvcs -p -s Schedule, :\WINDOWS\Installer\MSI
TargetObject3match 2, ends_with 1, eq 1\Command, \SOFTWARE\Microsoft\Windows..., Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask\Index, \Microsoft\Windows..., Microsoft\Windows\UpdateOrchestrator
TaskContent3in 2, match 1\AppData\Local\Temp\, wmic , wmic.exe, "*cscript.exe*", "*sh.exe*"
registry_path3eq 3"*\\SOFTWARE\\Microsoft\\Windows..., "*\\CurrentVersion\\Schedule\\Configuration*", "*\\Schedule\\TaskCache\\Tree\\*"
registry_value_name3eq 3"Command", EnableAt, "SD"
RelativeTargetName2ends_with 2ScheduledTasks.xml
AttributeValue2match 2CAB54552-DEEA-4691-817E-ED4A4D1AFC72, AADCED64-746C-4633-A97C-D61349046527
AccessList2match 2%%4417, WriteData

Top indicator values (416 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
Imageends_with\schtasks.exe2045
OriginalFileNameeqschtasks.exe1114
CommandLinematch /create 914
CommandLinematch/Create44
CommandLinematchpowershell416
CommandLinematchNT AUT44
EventIDeq469848
EventTypeeqscheduled-task-created33
CommandLinematchFromBase64String37
CommandLinematchcmd.exe /r 36
CommandLinematchcmd.exe /k 36
CommandLinematchcmd.exe /c 36
CommandLinematchcscript312
CommandLinematchwscript312
AttributeLDAPDisplayNameeqgPCMachineExtensionNames24
AttributeValuematchAADCED64-746C-4633-A97C-D613490465272
AttributeLDAPDisplayNameeqgPCUserExtensionNames22
AccessListmatch%%441723
AttributeValuematchCAB54552-DEEA-4691-817E-ED4A4D1AFC722
RelativeTargetNameends_withScheduledTasks.xml2

Common exclusions (13 distinct)

Field/operator/value combinations that rules under this technique routinely exclude (top-level not() clauses). These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths.

FieldKindValueRules excluding
userends_with$3
TaskNamewildcard\CreateExplorerShellUnelevatedTask1
TaskNamewildcard\OneDrive Standalone Update Task-S-1-5-21*1
TaskNamewildcard\Hewlett-Packard\HP Support Assistant\WarrantyChecker1
TaskNamewildcard\Hewlett-Packard\HP Support Assistant\WarrantyChecker_backup1
TaskNamewildcard\Hewlett-Packard\HP Web Products Detection1
TaskNamewildcard\Microsoft\VisualStudio\Updates\BackgroundDownload1
TaskNamewildcard\OneDrive Standalone Update Task-S-1-12-1-*1
TaskNamewildcard\Hewlett-Packard\HPDeviceCheck1
SubjectUserSidinS-1-5-181
SubjectUserSidinS-1-5-191
SubjectUserSidinS-1-5-201
Detailseq"(empty)"1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 31 rules

Elastic 5 rules

Splunk 11 rules

Kusto Query Language 1 rule