1. Home
  2. ATT&CK Techniques
  3. T1053 Scheduled Task/Job

T1053 Scheduled Task/Job

Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)

Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges). Similar to System Binary Proxy Execution, adversaries have also abused task scheduling to potentially mask one-time execution under a trusted system process.(Citation: ProofPoint Serpent)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.PS-01.01 Configuration baselines Mitigates T1053 Scheduled Task/Job
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
    PR.PS-01.02 Least functionality Mitigates T1053 Scheduled Task/Job
    Comments
    This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
    References
      PR.AA-05.02 Privileged system access Mitigates T1053 Scheduled Task/Job
      Comments
      This diagnostic statement protects against Scheduled Task/Job through the use of privileged account management and the use of multi-factor authentication.
      References
        PR.PS-01.03 Configuration deviation Mitigates T1053 Scheduled Task/Job
        Comments
        This diagnostic statement provides protection from Scheduled Task/Job through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System including running of scheduled tasks as authenticated user instead of SYSTEM and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
        References
          DE.CM-03.03 Privileged account monitoring Mitigates T1053 Scheduled Task/Job
          Comments
          This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
          References
            PR.AA-01.01 Identity and credential management Mitigates T1053 Scheduled Task/Job
            Comments
            This diagnostic statement protects against Scheduled Task/Job through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
            References

              NIST 800-53 Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              CM-06 Configuration Settings mitigates T1053 Scheduled Task/Job
              CM-05 Access Restrictions for Change mitigates T1053 Scheduled Task/Job
              IA-08 Identification and Authentication (Non-Organizational Users) mitigates T1053 Scheduled Task/Job
              IA-04 Identifier Management mitigates T1053 Scheduled Task/Job
              RA-05 Vulnerability Monitoring and Scanning mitigates T1053 Scheduled Task/Job
              CM-08 System Component Inventory mitigates T1053 Scheduled Task/Job
              CM-02 Baseline Configuration mitigates T1053 Scheduled Task/Job
              IA-02 Identification and Authentication (Organizational Users) mitigates T1053 Scheduled Task/Job
              CM-07 Least Functionality mitigates T1053 Scheduled Task/Job
              SI-04 System Monitoring mitigates T1053 Scheduled Task/Job
              AC-02 Account Management mitigates T1053 Scheduled Task/Job
              AC-03 Access Enforcement mitigates T1053 Scheduled Task/Job
              AC-05 Separation of Duties mitigates T1053 Scheduled Task/Job
              AC-06 Least Privilege mitigates T1053 Scheduled Task/Job

              VERIS Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1053 Scheduled Task/Job
              action.hacking.variety.Backdoor Hacking action that creates a backdoor for use. related-to T1053 Scheduled Task/Job
              action.hacking.vector.Backdoor Hacking actions taken through a backdoor. C2 is only used by malware. related-to T1053 Scheduled Task/Job

              Azure Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring technique_scores T1053 Scheduled Task/Job
              Comments
              This control can detect scheduled tasks/jobs.
              References
              1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview
              ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations technique_scores T1053 Scheduled Task/Job
              Comments
              This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a few of the sub-techniques of this technique. Due to its Minimal coverage, its score is assessed as Minimal.
              References
              1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/recommendations-reference-ai
              defender_for_app_service Microsoft Defender for Cloud: Defender for App Service technique_scores T1053 Scheduled Task/Job
              Comments
              This control does not address this technique's procedure examples and only one of its sub-techniques resulting in an overall Minimal score.
              References
              1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference
              2. https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-app-service-introduction
              3. https://azure.microsoft.com/en-us/services/app-service/
              4. https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers

              GCP Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              google_secops Google Security Operations technique_scores T1053 Scheduled Task/Job
              Comments
              Google Security Ops is able to trigger an alert based on suspicious modifications to the infrastructure, such as: new task scheduling to execute programs. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/sysmon/a_scheduled_task_was_created.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/mitre_attack/T1053_005_windows_creation_of_scheduled_task.yaral
              References
              1. ['https://cloud.google.com/security/products/security-operations'
              2. 'https://cloud.google.com/chronicle/docs/secops/secops-overview'
              3. 'https://github.com/chronicle/detection-rules']

              AWS Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              amazon_inspector Amazon Inspector technique_scores T1053 Scheduled Task/Job
              Comments
              The Amazon Inspector Best Practices assessment package can assess security control "Configure permissions for system directories" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Furthermore, Amazon Inspector only supports a subset of the sub-techniques for this technique. Due to these things and the fact the security control is only supported for Linux platforms, the score is Minimal.
              References
              1. https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html
              aws_config AWS Config technique_scores T1053 Scheduled Task/Job
              Comments
              This control provides partial coverage for one of this technique's sub-techniques, resulting in an overall score of Minimal.
              References
              1. https://docs.aws.amazon.com/config
              2. https://docs.aws.amazon.com/config/latest/developerguide
              3. https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html

              ATT&CK Subtechniques

              Technique ID Technique Name Number of Mappings
              T1053.005 Scheduled Task 25
              T1053.007 Container Orchestration Job 16
              T1053.003 Cron 14
              T1053.006 Systemd Timers 17
              T1053.002 At 23