Scheduled Task/Job T1053

Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.

Events covered

25 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
SysmonEvent ID 3Network connection
SysmonEvent ID 7Image loaded
SysmonEvent ID 11FileCreate
SysmonEvent ID 12RegistryEvent (Object create and delete)
SysmonEvent ID 13RegistryEvent (Value Set)
SysmonEvent ID 14RegistryEvent (Key and Value Rename)
Security-AuditingEvent ID 4656A handle to an object was requested.
Security-AuditingEvent ID 4688A new process has been created.
Security-AuditingEvent ID 4698A scheduled task was created.
Security-AuditingEvent ID 4699A scheduled task was deleted.
Security-AuditingEvent ID 4700A scheduled task was enabled.
Security-AuditingEvent ID 4701A scheduled task was disabled.
Security-AuditingEvent ID 4702A scheduled task was updated.
Security-AuditingEvent ID 4799A security-enabled local group membership was enumerated.
Security-AuditingEvent ID 5136A directory service object was modified.
Security-AuditingEvent ID 5145A network share object was checked to see whether client can be granted desired access.
Defender-DeviceInfoanyDevice inventory snapshot
Defender-DeviceProcessEventsProcessCreatedProcess created
PowerShellEvent ID 4103Payload Context: ContextInfo User Data: UserData.
PowerShellEvent ID 4104Creating Scriptblock text (MessageNumber of MessageTotal).
TaskSchedulerEvent ID 129Task Scheduler launch task "Name" , instance "TaskName" with process ID Path.
TaskSchedulerEvent ID 200Task Scheduler launched action "TaskName" in instance "ActionName" of task "Name".
TaskSchedulerEvent ID 201Task Scheduler successfully completed task "Name" , instance "TaskInstanceId" , action "TaskName" .
Service-Control-ManagerEvent ID 7045A service was installed in the system.

Authoring guide

Patterns shared across the 133 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (64 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine61contains 48, match 8, in 3, regex_match 3, ends_with 1, is_not_null 1 /create , /create, /create , /change , (?i)\-(L|R|N|D|C)|IdentitiesOnly=yes|StrictHostKeyChecking=no|ssh
Image39ends_with 35, contains 5, eq 3, in 1, starts_with 1\schtasks.exe, \cmd.exe, *\\perflogs\\*, *\\temp\\*, *\\users\\administrator\\music\\*
EventID31eq 28, in 34698, 4104, 4688, 1, 4700
OriginalFileName21eq 20, in 1schtasks.exe, cmd.exe, at.exe, control.exe, cscript.exe
process_name20eq 18, in 3schtasks.exe, powershell.exe, at.exe, cmd.exe, bash.exe
Channel12eq 12, in 12
eventtype12eq 12
ParentImage9ends_with 5, contains 2, eq 2\powershell.exe, :\program files (x86)\zemana\antimalware\antimalware.exe, :\program files\axis communications\axis camera..., :\program files\axis communications\axis device..., :\temp\
TaskContent9contains 6, in 2, match 2#1, <command>c:\\windows\\system32\\compmgmtlauncher.ex..., <command>c:\\windows\\system32\\eventvwr.msc</co..., <command>c:\\windows\\system32\\zh-cn\\eventvwr.msc..., <hidden>true</hidden>
event.type9eq 9start, change
EventType8eq 6, starts_with 2scheduled-task-created, Image loaded, ProcessCreated, creation, deleted
TargetObject8contains 3, wildcard 3, ends_with 2, eq 1*\software\microsoft\windows..., \command, \microsoft\windows nt\currentversion\schedule\taskcache\tasks\, \microsoft\windows..., \microsoft\windows nt\currentversion\schedule\taskcache\tree\
TaskName8eq 5, contains 2, ends_with 1, match 1SC Scheduled Scan, UpdatMachine, \Microsoft\Windows\Defrag\ScheduledDefrag, \Microsoft\Windows\RemovalTools\MRT_ERROR_HB, \SynchronizeTimeZone
parent_process_name8eq 8, in 1svchost.exe, CompatTelRunner.exe, ScreenConnect.ClientService.exe, ScreenConnect.WindowsBackstageShell.exe, ScreenConnect.WindowsClient.exe
ParentCommandLine7contains 6, ends_with 1, regex_match 1, starts_with 1-executionpolicy bypass -windowstyle hidden -e jab, -k, -k netsvcs, -p, -s

Top indicator values (868 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
Imageends_with
\schtasks.exe
2657
OriginalFileNameeq
schtasks.exe
1823
EventIDeq
4698
1414
EventIDeq
4104
4268
EventIDeq
4688
4312
EventIDeq
1
3232
process_nameeq
schtasks.exe
1121
process_nameeq
powershell.exe
499
CommandLinecontains
/create
915
CommandLinecontains
/create
88
CommandLinecontains
/create
55
CommandLinecontains
create
423
CommandLinecontains
nt aut
44
CommandLinecontains
powershell
425
CommandLinecontains
wscript
416
CommandLinecontains
/change
33
CommandLinecontains
%appdata%
313
CommandLinecontains
cmd.exe /c
37
CommandLinecontains
cmd.exe /k
36
CommandLinecontains
cmd.exe /r
36
CommandLinecontains
cscript
315
CommandLinecontains
frombase64string
313
CommandLinecontains
schtasks
36
event.typeeq
start
6241
AccessListcontains
%%4417
411
parent_process_nameeq
svchost.exe
412
CommandLinematch
(?i)\-(L|R|N|D|C)|IdentitiesOnly=yes|StrictHostKeyChecking=no|ssh
33
CommandLinematch
\d{1,5}:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}:\d{1,5}
33
CommandLinematch
\w+@\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}
33
EventTypeeq
scheduled-task-created
33

Exclusions (155 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
Imageends_with
\schtasks.exe
3
userends_with
$
3
CommandLinecontains
/tn tvinstallrestore
2
CommandLinecontains
update_task.xml
2
CommandLinecontains
-m:
1
CommandLinecontains
system
1
CommandLinecontains
.tmp\maintenancetask.xml
1
CommandLinecontains
.tmp\systrayautostart.xml
1
CommandLinecontains
.tmp\updatefallbacktask.xml
1
CommandLinecontains
.tmp\watchdogservicecontrolmanagertimeout.xml
1
CommandLinecontains
.xml
1
CommandLinecontains
/create /f /ru system /sc weekly /tn avirasystemspeedupverify /tr
1
CommandLinecontains
/create /f /tn
1
IntegrityLeveleq
System
2
process_nameeq
powershell.exe
2

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 66 rules

Elastic 16 rules

Splunk 47 rules

Kusto 3 rules

YARA-L 1 rule