T1053.005 Scheduled Task Mappings

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The <code>schtasks</code> can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task.

The deprecated at utility could also be abused by adversaries (ex: At (Windows)), though <code>at.exe</code> can not access tasks created with <code>schtasks</code> or the Control Panel.

An adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account (such as SYSTEM).

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-2 Account Management Protects T1053.005 Scheduled Task
AC-3 Access Enforcement Protects T1053.005 Scheduled Task
AC-5 Separation of Duties Protects T1053.005 Scheduled Task
AC-6 Least Privilege Protects T1053.005 Scheduled Task
CA-8 Penetration Testing Protects T1053.005 Scheduled Task
CM-2 Baseline Configuration Protects T1053.005 Scheduled Task
CM-5 Access Restrictions for Change Protects T1053.005 Scheduled Task
CM-6 Configuration Settings Protects T1053.005 Scheduled Task
CM-7 Least Functionality Protects T1053.005 Scheduled Task
CM-8 System Component Inventory Protects T1053.005 Scheduled Task
IA-2 Identification and Authentication (organizational Users) Protects T1053.005 Scheduled Task
IA-4 Identifier Management Protects T1053.005 Scheduled Task
RA-5 Vulnerability Monitoring and Scanning Protects T1053.005 Scheduled Task
SI-4 System Monitoring Protects T1053.005 Scheduled Task
azure_sentinel Azure Sentinel technique_scores T1053.005 Scheduled Task
Comments
The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can interact with the Windows task scheduler, but does not address other procedures.
References
    file_integrity_monitoring File Integrity Monitoring technique_scores T1053.005 Scheduled Task
    Comments
    This control may detect changes to the Windows registry upon creation or modification of scheduled tasks. This control may also detect changes to files used by cron or systemd to create/modify scheduled tasks. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
    References
      azure_defender_for_app_service Azure Defender for App Service technique_scores T1053.005 Scheduled Task
      Comments
      This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the New-UserPersistenceOption Persistence module on Windows, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.
      References