T1053.005 — Scheduled Task

Technique

T1053.005

Tactics

Execution, Persistence, Privilege Escalation

MISP citations

0

KEV CVEs mapped

2

Community rules

51

thrunt rules

0

Upstream

https://attack.mitre.org/techniques/T1053/005

MITRE description

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111) utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red Team) An adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and/or to run a process under the context of a specified account (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218), adversaries have also abused the Windows Task Scheduler to potentially mask one-time execution under signed/trusted system processes.(Citation: ProofPoint Serpent) Adversaries may also create "hidden" scheduled tasks (i.e. [Hide Artifacts](https://attack.mitre.org/techniques/T1564)) that may not be visible to defender tools and manual queries used to enumerate tasks. Specifically, an adversary may hide a task from `schtasks /query` and the Task Scheduler by deleting the associated Security Descriptor (SD) registry value (where deletion of this value must be completed using SYSTEM permissions).(Citation: SigmaHQ)(Citation: Tarrask scheduled task) Adversaries may also employ alternate methods to hide tasks, such as altering the metadata (e.g., `Index` value) within associated registry keys.(Citation: Defending Against Scheduled Task Attacks in Windows Environments)

KEV CVEs mapped to this technique

Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.

• CVE-2023-46604
• CVE-2021-34473

Detection coverage

SigmaHQ community rules

• Turla Group Commands May 2020 (emerging-threats)
• OilRig APT Activity (emerging-threats)
• OilRig APT Registry Persistence (emerging-threats)
• OilRig APT Schedule Task Persistence - Security (emerging-threats)
• OilRig APT Schedule Task Persistence - System (emerging-threats)
• Defrag Deactivation (emerging-threats)
• Potential BearLPE Exploitation (emerging-threats)
• Operation Wocao Activity (emerging-threats)
• Operation Wocao Activity - Security (emerging-threats)
• ChromeLoader Malware Execution (emerging-threats)
• Serpent Backdoor Payload Execution Via Scheduled Task (emerging-threats)
• Potential ACTINIUM Persistence Activity (emerging-threats)
• Diamond Sleet APT Scheduled Task Creation (emerging-threats)
• Kapeka Backdoor Persistence Activity (emerging-threats)
• Kapeka Backdoor Scheduled Task Creation (emerging-threats)
• Scheduled Task Deletion (threat-hunting)
• Scheduled Task Created - FileCreation (threat-hunting)
• Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location (threat-hunting)
• Scheduled Task Creation From Potential Suspicious Parent Location (threat-hunting)
• Scheduled Task Created - Registry (threat-hunting)
• Persistence and Execution at Scale via GPO Scheduled Task (core)
• Suspicious Scheduled Task Creation (core)
• Important Scheduled Task Deleted/Disabled (core)
• Suspicious Scheduled Task Update (core)
• Scheduled Task Executed From A Suspicious Location (core)

Showing 25 of 51 community rules — the full set is tagged attack.t1053.005 in SigmaHQ.

Signal counts reflect the current corpus snapshot: MISP citations are regex-extracted from CIRCL OSINT event text and galaxy tags; KEV mappings come from MITRE CTID; community coverage is the SigmaHQ rule inventory (core, emerging-threats, threat-hunting collections) at release r2026-04-01. Rule bodies are not mirrored — links go upstream.