Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The <code>schtasks</code> can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task.
The deprecated at utility could also be abused by adversaries (ex: At (Windows)), though <code>at.exe</code> can not access tasks created with <code>schtasks</code> or the Control Panel.
An adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account (such as SYSTEM).
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1053.005 | Scheduled Task | |
| AC-3 | Access Enforcement | Protects | T1053.005 | Scheduled Task | |
| AC-5 | Separation of Duties | Protects | T1053.005 | Scheduled Task | |
| AC-6 | Least Privilege | Protects | T1053.005 | Scheduled Task | |
| CA-8 | Penetration Testing | Protects | T1053.005 | Scheduled Task | |
| CM-2 | Baseline Configuration | Protects | T1053.005 | Scheduled Task | |
| CM-5 | Access Restrictions for Change | Protects | T1053.005 | Scheduled Task | |
| CM-6 | Configuration Settings | Protects | T1053.005 | Scheduled Task | |
| CM-7 | Least Functionality | Protects | T1053.005 | Scheduled Task | |
| CM-8 | System Component Inventory | Protects | T1053.005 | Scheduled Task | |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1053.005 | Scheduled Task | |
| IA-4 | Identifier Management | Protects | T1053.005 | Scheduled Task | |
| RA-5 | Vulnerability Monitoring and Scanning | Protects | T1053.005 | Scheduled Task | |
| SI-4 | System Monitoring | Protects | T1053.005 | Scheduled Task |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Abuse of functionality | Abuse of functionality | related-to | T1053.005 | Scheduled Task/Job: Scheduled Task |