Scheduled Task/Job T1053
Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Events covered
25 catalog events are tagged with this technique by at least one rule.
Authoring guide
Patterns shared across the 133 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (64 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (868 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (155 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 66 rules
- ChromeLoader Malware Execution
- Defrag Deactivation
- Defrag Deactivation - Security
- Diamond Sleet APT Scheduled Task Creation
- Fortinet APT group abuse on Windows (task)
- HackTool - CrackMapExec Execution
- HackTool - CrackMapExec Execution Patterns
- HackTool - Default PowerSploit/Empire Scheduled Task Creation
- HackTool - SharPersist Execution
- HAFNIUM Exchange Exploitation Activity
- Important Scheduled Task Deleted/Disabled
- Interactive AT Job
- Interactive privileged shell triggered by schedule task (deprecated)
- Kapeka Backdoor Persistence Activity
- Kapeka Backdoor Scheduled Task Creation
- Massive remote schedule task creation via named pipes (CrackMapExec with ATexec)
- OilRig APT Activity
- OilRig APT Registry Persistence
- OilRig APT Schedule Task Persistence - Security
- OilRig APT Schedule Task Persistence - System
- Operation Wocao Activity
- Operation Wocao Activity - Security
- Persistence and Execution at Scale via GPO Scheduled Task
- Potential ACTINIUM Persistence Activity
- Potential BearLPE Exploitation
- Potential Persistence Via Microsoft Compatibility Appraiser
- Potential Persistence Via Powershell Search Order Hijacking - Task
- Potential Registry Persistence Attempt Via Windows Telemetry
- Potential SSH Tunnel Persistence Install Using A Scheduled Task
- Powershell Create Scheduled Task
- Remote schedule task creation via named pipes (ATexec)
- Remote Task Creation via ATSVC Named Pipe
- Renamed Schtasks Execution
- Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE
- Scheduled persistent task with SYSTEM privileges creation
- Scheduled Task Created - FileCreation
- Scheduled Task Created - Registry
- Scheduled task created and deleted fastly (ATexec.py)
- Scheduled Task Creation From Potential Suspicious Parent Location
- Scheduled Task Creation Masquerading as System Processes
- Scheduled Task Creation Via Schtasks.EXE
- Scheduled task creation with command line
- Scheduled Task Creation with Curl and PowerShell Execution Combo
- Scheduled Task Deletion
- Scheduled Task Executed From A Suspicious Location
- Scheduled Task Executed Uncommon LOLBIN
- Scheduled Task Executing Encoded Payload from Registry
- Scheduled Task Executing Payload from Registry
- Scheduled TaskCache Change by Uncommon Program
- Schtasks Creation Or Modification With SYSTEM Privileges
- Schtasks From Suspicious Folders
- Serpent Backdoor Payload Execution Via Scheduled Task
- Suspicious Command Patterns In Scheduled Task Creation
- Suspicious Modification Of Scheduled Tasks
- Suspicious Scheduled Task Creation
- Suspicious Scheduled Task Creation Involving Temp Folder
- Suspicious Scheduled Task Creation via Masqueraded XML File
- Suspicious Scheduled Task Name As GUID
- Suspicious Scheduled Task Update
- Suspicious Scheduled Task Write to System32 Tasks
- Suspicious Schtasks Execution AppData Folder
- Suspicious Schtasks Schedule Type With High Privileges
- Suspicious Schtasks Schedule Types
- Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location
- Turla Group Commands May 2020
- Uncommon One Time Only Scheduled Task At 00:00
Elastic 16 rules
- A scheduled task was created
- At.exe Command Lateral Movement
- Local Scheduled Task Creation
- Outbound Scheduled Task Activity via PowerShell
- Persistence via a Windows Installer
- Persistence via TelemetryController Scheduled Task Hijack
- Remote Scheduled Task Creation
- Remote Scheduled Task Creation via RPC
- Scheduled Task Created by a Windows Script
- Scheduled Task Execution at Scale via GPO
- Scheduled Tasks AT Command Enabled
- Suspicious Execution via Scheduled Task
- Suspicious ScreenConnect Client Child Process
- Temporarily Scheduled Task Creation
- UAC Bypass via DiskCleanup Scheduled Task Hijack
- Unusual Scheduled Task Update
Splunk 47 rules
- Create_Modify Schtasks (PowerShell)
- Create_Modify Schtasks (Sysmon)
- Create_Modify Schtasks (Windows Event Log)
- Hidden Scheduled Task Created - Windows (Windows Event Log)
- Impacket atexec.py Execution (PowerShell)
- Impacket atexec.py Execution (Sysmon)
- Impacket atexec.py Execution (Windows Event Log)
- Impacket atexec.py Scheduled Task Creation (Windows Event Log)
- Impacket atexec.py Temp File Creation (Sysmon)
- Impacket atexec.py Temp File Creation (Windows Event Log)
- Possible Lateral Movement PowerShell Spawn
- Randomly Generated Scheduled Task Name
- Rare Schedule Task Created (Windows Event Log)
- Rare Scheduled Task (Windows Event Log)
- Schedule Task with HTTP Command Arguments
- Schedule Task with Rundll32 Command Trigger
- Scheduled Task Creation on Remote Endpoint using At
- Scheduled Task Deleted Or Created via CMD
- Scheduled Task Initiation on Remote Endpoint
- Scheduled Task with Potential SSH Tunnel - Windows (PowerShell)
- Scheduled Task with Potential SSH Tunnel - Windows (Sysmon)
- Scheduled Task with Potential SSH Tunnel - Windows (Windows Event Log)
- Schtasks Run Task On Demand
- Schtasks scheduling job on remote system
- Schtasks used for forcing a reboot
- Short Lived Scheduled Task
- Suspicious Scheduled Task from Public Directory
- Svchost LOLBAS Execution Process Spawn
- Windows Compatibility Telemetry Suspicious Child Process
- Windows Compatibility Telemetry Tampering Through Registry
- Windows Enable Win32 ScheduledJob via Registry
- Windows Hidden Schedule Task Settings
- Windows Level RMM Watchdog Task Created
- Windows PowerShell ScheduleTask
- Windows Registry Delete Task SD
- Windows Scheduled Task Created in a Group Policy Object
- Windows Scheduled Task Created Via XML
- Windows Scheduled Task DLL Module Loaded
- Windows Scheduled Task Service Spawned Shell
- Windows Scheduled Task with Highest Privileges
- Windows Scheduled Task with Suspicious Command
- Windows Scheduled Task with Suspicious Name
- Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr
- Windows Schtasks Create Run As System
- WinEvent Scheduled Task Created to Spawn Shell
- WinEvent Scheduled Task Created Within Public Path
- WinEvent Windows Task Scheduler Event Action Started
Kusto 3 rules
- AV detections related to Tarrask malware
- Persistence Via Scheduled Tasks
- Powershell Empire Cmdlets Executed in Command Line