Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1053 | Scheduled Task/Job | |
| AC-3 | Access Enforcement | Protects | T1053 | Scheduled Task/Job | |
| AC-5 | Separation of Duties | Protects | T1053 | Scheduled Task/Job | |
| AC-6 | Least Privilege | Protects | T1053 | Scheduled Task/Job | |
| CA-8 | Penetration Testing | Protects | T1053 | Scheduled Task/Job | |
| CM-2 | Baseline Configuration | Protects | T1053 | Scheduled Task/Job | |
| CM-5 | Access Restrictions for Change | Protects | T1053 | Scheduled Task/Job | |
| CM-6 | Configuration Settings | Protects | T1053 | Scheduled Task/Job | |
| CM-7 | Least Functionality | Protects | T1053 | Scheduled Task/Job | |
| CM-8 | System Component Inventory | Protects | T1053 | Scheduled Task/Job | |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1053 | Scheduled Task/Job | |
| IA-4 | Identifier Management | Protects | T1053 | Scheduled Task/Job | |
| RA-5 | Vulnerability Monitoring and Scanning | Protects | T1053 | Scheduled Task/Job | |
| SI-4 | System Monitoring | Protects | T1053 | Scheduled Task/Job |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_security_center_recommendations | Azure Security Center Recommendations | technique_scores | T1053 | Scheduled Task/Job |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a few of the sub-techniques of this technique. Due to its Minimal coverage, its score is assessed as Minimal.
References
|
| azure_sentinel | Azure Sentinel | technique_scores | T1053 | Scheduled Task/Job |
Comments
This control provides minimal to partial coverage of a minority of this technique's sub-techniques, resulting in an overall score of Minimal.
References
|
| file_integrity_monitoring | File Integrity Monitoring | technique_scores | T1053 | Scheduled Task/Job | |
| azure_defender_for_app_service | Azure Defender for App Service | technique_scores | T1053 | Scheduled Task/Job |
Comments
This control does not address this technique's procedure examples and only one of its sub-techniques resulting in an overall Minimal score.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1053.001 | At (Linux) | 10 |
| T1053.002 | At (Windows) | 15 |
| T1053.003 | Cron | 12 |
| T1053.004 | Launchd | 9 |
| T1053.005 | Scheduled Task | 17 |
| T1053.006 | Systemd Timers | 12 |