T1053 Scheduled Task/Job Mappings

Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)

Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1053 Scheduled Task/Job
AC-3 Access Enforcement Protects T1053 Scheduled Task/Job
AC-5 Separation of Duties Protects T1053 Scheduled Task/Job
AC-6 Least Privilege Protects T1053 Scheduled Task/Job
CA-8 Penetration Testing Protects T1053 Scheduled Task/Job
CM-2 Baseline Configuration Protects T1053 Scheduled Task/Job
CM-5 Access Restrictions for Change Protects T1053 Scheduled Task/Job
CM-6 Configuration Settings Protects T1053 Scheduled Task/Job
CM-7 Least Functionality Protects T1053 Scheduled Task/Job
CM-8 System Component Inventory Protects T1053 Scheduled Task/Job
IA-2 Identification and Authentication (organizational Users) Protects T1053 Scheduled Task/Job
IA-4 Identifier Management Protects T1053 Scheduled Task/Job
IA-8 Identification and Authentication (non-organizational Users) Protects T1053 Scheduled Task/Job
RA-5 Vulnerability Monitoring and Scanning Protects T1053 Scheduled Task/Job
SI-4 System Monitoring Protects T1053 Scheduled Task/Job
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1053 Scheduled Task/Job
action.hacking.vector.Backdoor or C2 Backdoor or command and control channel related-to T1053 Scheduled Task/Job
aws_config AWS Config technique_scores T1053 Scheduled Task/Job
amazon_inspector Amazon Inspector technique_scores T1053 Scheduled Task/Job

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1053.001 At (Linux) 11
T1053.002 At (Windows) 15
T1053.007 Container Orchestration Job 9
T1053.003 Cron 11
T1053.004 Launchd 10
T1053.005 Scheduled Task 16
T1053.006 Systemd Timers 11