detection.wiki

Scheduled Task/Job T1053

Tactics: Execution, Persistence, Privilege Escalation

Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.

Events covered

29 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
SysmonEvent ID 3Network connection
SysmonEvent ID 7Image loaded
SysmonEvent ID 11FileCreate
SysmonEvent ID 12RegistryEvent (Object create and delete)
SysmonEvent ID 13RegistryEvent (Value Set)
SysmonEvent ID 14RegistryEvent (Key and Value Rename)
Security-AuditingEvent ID 4656A handle to an object was requested.
Security-AuditingEvent ID 4688A new process has been created.
Security-AuditingEvent ID 4698A scheduled task was created.
Security-AuditingEvent ID 4699A scheduled task was deleted.
Security-AuditingEvent ID 4700A scheduled task was enabled.
Security-AuditingEvent ID 4701A scheduled task was disabled.
Security-AuditingEvent ID 4702A scheduled task was updated.
Security-AuditingEvent ID 4799A security-enabled local group membership was enumerated.
Security-AuditingEvent ID 5136A directory service object was modified.
Security-AuditingEvent ID 5145A network share object was checked to see whether client can be granted desired access.
Defender-DeviceProcessEventsanyProcess activity (any)
Defender-DeviceProcessEventsProcessCreatedProcess created
ESFexecProcess Execution (Notify)
ESFwriteFile Write (NOTIFY)
PowerShellEvent ID 4103Payload Context: ContextInfo User Data: UserData.
PowerShellEvent ID 4104Creating Scriptblock text (MessageNumber of MessageTotal).
TaskSchedulerEvent ID 129Task Scheduler launch task "Name" , instance "TaskName" with process ID Path.
TaskSchedulerEvent ID 200Task Scheduler launched action "TaskName" in instance "ActionName" of task "Name".
TaskSchedulerEvent ID 201Task Scheduler successfully completed task "Name" , instance "TaskInstanceId" , action "TaskName" .
Service-Control-ManagerEvent ID 7045A service was installed in the system.
Sysmon-for-LinuxEvent ID 1Process Create
Sysmon-for-LinuxEvent ID 11File created

Authoring guide

Patterns shared across the 200 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (111 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine73contains 55, in 8, match 8, regex_match 3, wildcard 2, ends_with 1, eq 1, is_not_null 1 /create , /create, /create , /change , (?i)\-(L|R|N|D|C)|IdentitiesOnly=yes|StrictHostKeyChecking=no|ssh
Image45ends_with 38, contains 5, eq 4, starts_with 2, in 1, is_not_null 1, ne 1, wildcard 1\schtasks.exe, \cmd.exe, *\\perflogs\\*, *\\temp\\*, *\\users\\administrator\\music\\*
process_name34eq 24, in 10, is_not_null 2, starts_with 1schtasks.exe, powershell.exe, at.exe, cmd.exe, crontab
EventID31eq 28, in 34698, 4104, 4688, 1, 4700
EventType24eq 11, in 9, starts_with 3, ne 1creation, exec, rename, Image loaded, exec_event
OriginalFileName21eq 20, in 1schtasks.exe, cmd.exe, at.exe, control.exe, cscript.exe
TargetFilename19wildcard 8, starts_with 5, contains 3, in 3, eq 2, ends_with 1/etc/cron.allow, /etc/cron.d/*, */etc/at.allow, */etc/at.deny, */etc/cron*
event.type18eq 13, ne 5start, deletion, change
host.os.type13eq 13
Channel12eq 12, in 12
eventtype12eq 12
parent_process_name11eq 9, in 3svchost.exe, CompatTelRunner.exe, ScreenConnect.ClientService.exe, ScreenConnect.WindowsBackstageShell.exe, ScreenConnect.WindowsClient.exe
process.args10eq 4, starts_with 4, wildcard 3, contains 2, in 2* /dev/shm/* , * /home/*, * /run/*, *Reflection.Assembly*, *downloadstring*
ParentImage9ends_with 5, contains 2, eq 2\powershell.exe, :\program files (x86)\zemana\antimalware\antimalware.exe, :\program files\axis communications\axis camera..., :\program files\axis communications\axis device..., :\temp\
TaskContent9contains 6, in 2, match 2#1, <command>c:\\windows\\system32\\compmgmtlauncher.ex..., <command>c:\\windows\\system32\\eventvwr.msc</co..., <command>c:\\windows\\system32\\zh-cn\\eventvwr.msc..., <hidden>true</hidden>

Top indicator values (1797 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
Imageends_with
\schtasks.exe
2656
OriginalFileNameeq
schtasks.exe
1823
EventIDeq
4698
1414
EventIDeq
4104
4268
EventIDeq
4688
4313
process_nameeq
schtasks.exe
1121
process_nameeq
powershell.exe
4104
event.typeeq
start
10606
CommandLinecontains
/create
915
CommandLinecontains
/create
99
CommandLinecontains
/create
55
CommandLinecontains
create
424
CommandLinecontains
nt aut
43
CommandLinecontains
powershell
425
CommandLinecontains
schtasks
46
CommandLinecontains
wscript
416
CommandLinecontains
/change
33
CommandLinecontains
%appdata%
313
CommandLinecontains
cmd.exe /c
36
CommandLinecontains
cmd.exe /k
35
CommandLinecontains
cmd.exe /r
35
CommandLinecontains
cscript
315
event.categoryeq
process
5128
event.typene
deletion
528
AccessListcontains
%%4417
411
EventTypein
creation
423
EventTypein
exec
4171
EventTypein
rename
418
parent_process_nameeq
svchost.exe
413
sourcetypeeq
auditd
456

Exclusions (416 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
file.extensionin
dpkg-remove
4
file.extensionin
swp
4
file.extensionin
swx
4
Imageends_with
\schtasks.exe
3
Imagein
./usr/bin/podman
3
Imagein
/bin/autossl_check
3
Imagein
/bin/chef-client
3
Imagein
/bin/dnf
3
Imagein
/bin/dnf-automatic
3
Imagein
/bin/dockerd
3
Imagein
/bin/dpkg
3
Imagein
/bin/dpkg-divert
3
Imagein
/bin/microdnf
3
Imagein
/bin/pacman
3
Imagein
/bin/pamac-daemon
3

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Sigma 79 rules

Elastic 36 rules

Splunk 65 rules

Kusto 14 rules

YARA-L 1 rule

Panther 5 rules