Applied Cybernetics Group
T1053 — Scheduled Task/Job
- Technique
T1053- Tactics
- Execution, Persistence, Privilege Escalation
- MISP citations
- 0
- KEV CVEs mapped
- 2
- Community rules
- 12
- thrunt rules
- 0
- Upstream
- https://attack.mitre.org/techniques/T1053
MITRE description
Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security) Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218), adversaries have also abused task scheduling to potentially mask one-time execution under a trusted system process.(Citation: ProofPoint Serpent)
KEV CVEs mapped to this technique
Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.
Detection coverage
SigmaHQ community rules
- Defrag Deactivation - Security (emerging-threats)
- HAFNIUM Exchange Exploitation Activity (emerging-threats)
- Potential ACTINIUM Persistence Activity (emerging-threats)
- Remote Schedule Task Lateral Movement via ATSvc (core)
- Remote Schedule Task Lateral Movement via ITaskSchedulerService (core)
- Remote Schedule Task Lateral Movement via SASec (core)
- Cisco Modify Configuration (core)
- Suspicious Scheduled Task Write to System32 Tasks (core)
- HackTool - CrackMapExec Execution Patterns (core)
- HackTool - CrackMapExec Execution (core)
- HackTool - SharPersist Execution (core)
- Scheduled TaskCache Change by Uncommon Program (core)