detection.wiki

ATT&CK coverage › Technique

Scheduled Task/Job T1053

Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.

Events covered

11 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon1Process creation
Sysmon7Image loaded
Sysmon11FileCreate
Sysmon13RegistryEvent (Value Set)
Security-Auditing4688A new process has been created.
Security-Auditing4698A scheduled task was created.
Security-Auditing4699A scheduled task was deleted.
Security-Auditing4702A scheduled task was updated.
Security-Auditing5136A directory service object was modified.
Security-Auditing5145A network share object was checked to see whether client can be granted desired access.
Defender-DeviceInfo9008000Device inventory snapshot

Authoring guide

Patterns shared across the 16 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (20 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
Image5ends_with 3, eq 1, starts_with 1, match 1, in 1\crackmapexec.exe, \SharPersist.exe, C:\Program Files\Microsoft Office\root\Integration\Integrator.exe, C:\Windows\, System
EventID5eq 54698, 7
EventType3eq 3scheduled-task-created, scheduled-task-deleted
CommandLine3match 3 mssql , -x , --local-auth, cmd.exe /C * > \\\\*\\*\\* 2>&1, cmd.exe /Q /c * 1> \\\\*\\*\\* 2>&1
TaskContent2eq 2"*<Hidden>true</Hidden>*", "*<Command>C:\\Windows\\System32\\CompMgmtLauncher...., "*<Command>C:\\Windows\\System32\\eventvwr.msc</..., "*<Command>C:\\Windows\\System32\\zh-CN\\eventvwr.m...
RpcCallClientLocality1eq 10
ClientProcessId1eq 10
RelativeTargetName1ends_with 1ScheduledTasks.xml
AttributeValue1match 1CAB54552-DEEA-4691-817E-ED4A4D1AFC72, AADCED64-746C-4633-A97C-D61349046527
AccessList1match 1%%4417
AttributeLDAPDisplayName1eq 1gPCUserExtensionNames, gPCMachineExtensionNames
ShareName1wildcard 1\\*\SYSVOL
event.category1eq 1iam
Product1eq 1SharPersist
Details1eq 1, is_null 1(Empty)

Top indicator values (94 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
EventIDeq469848
EventTypeeqscheduled-task-created33
ClientProcessIdeq012
RpcCallClientLocalityeq01
ShareNamewildcard\\*\SYSVOL12
AttributeLDAPDisplayNameeqgPCMachineExtensionNames14
AttributeValuematchAADCED64-746C-4633-A97C-D613490465271
AttributeLDAPDisplayNameeqgPCUserExtensionNames12
AccessListmatch%%441713
AttributeValuematchCAB54552-DEEA-4691-817E-ED4A4D1AFC721
RelativeTargetNameends_withScheduledTasks.xml1
EventTypeeqscheduled-task-deleted1
event.categoryeqiam12
Imageends_with\crackmapexec.exe12
CommandLinematch -H 1
CommandLinematch 192.168.1
CommandLinematch --local-auth1
CommandLinematch/24 1
CommandLinematch -x 1
CommandLinematch 10.1

Common exclusions (12 distinct)

Field/operator/value combinations that rules under this technique routinely exclude (top-level not() clauses). These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths.

FieldKindValueRules excluding
userends_with$3
TaskNamewildcard\CreateExplorerShellUnelevatedTask1
TaskNamewildcard\OneDrive Standalone Update Task-S-1-5-21*1
TaskNamewildcard\Hewlett-Packard\HP Support Assistant\WarrantyChecker1
TaskNamewildcard\Hewlett-Packard\HP Support Assistant\WarrantyChecker_backup1
TaskNamewildcard\Hewlett-Packard\HP Web Products Detection1
TaskNamewildcard\Microsoft\VisualStudio\Updates\BackgroundDownload1
TaskNamewildcard\OneDrive Standalone Update Task-S-1-12-1-*1
TaskNamewildcard\Hewlett-Packard\HPDeviceCheck1
SubjectUserSidinS-1-5-181
SubjectUserSidinS-1-5-191
SubjectUserSidinS-1-5-201

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 5 rules

Elastic 5 rules

Splunk 5 rules

Kusto Query Language 1 rule