T1053

Scheduled Task/Job

Execution Persistence Privilege Escalation

Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Adversaries use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to run processes under elevated account contexts (such as SYSTEM), and to potentially mask one-time execution under a trusted system process. Sub-techniques cover Windows Task Scheduler (T1053.005), the legacy AT command (T1053.002), Unix cron (T1053.003), macOS launchd (T1053.004), Linux systemd timers (T1053.006), and container orchestration jobs (T1053.007).

Microsoft Sentinel / Defender

kusto

// T1053 — Scheduled Task/Job: Multi-branch Windows detection
// Branch 1: schtasks.exe / at.exe process creation with suspicious indicators
let SuspiciousTaskCreation = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("schtasks.exe", "at.exe")
| where ProcessCommandLine has_any ("/create", "/change", "-create", "-change")
| extend RunAsSystem = ProcessCommandLine has_any ("/ru SYSTEM", "/ru \"NT AUTHORITY\\SYSTEM\"")
| extend SuspiciousPath = ProcessCommandLine has_any (
    "%APPDATA%", "%TEMP%", "%PUBLIC%",
    "\\AppData\\Local\\Temp", "\\AppData\\Roaming\\",
    "C:\\Users\\Public\\", "C:\\ProgramData\\", "C:\\Windows\\Temp\\"
  )
| extend RemoteTask = ProcessCommandLine has "/s "
| extend ScriptExecution = ProcessCommandLine has_any (
    "powershell", "wscript", "cscript", "mshta",
    "regsvr32", "rundll32", "cmd /c", "cmd.exe /c", "certutil"
  )
| extend HiddenFlag = ProcessCommandLine has " /f"
| where RunAsSystem or SuspiciousPath or RemoteTask or ScriptExecution
| extend SuspicionScore = (toint(RunAsSystem) + toint(SuspiciousPath) + toint(RemoteTask) + toint(ScriptExecution))
| project
    Timestamp, DeviceName, AccountName,
    FileName, ProcessCommandLine,
    InitiatingProcessFileName, InitiatingProcessCommandLine,
    RunAsSystem, SuspiciousPath, RemoteTask, ScriptExecution, HiddenFlag, SuspicionScore,
    DetectionBranch = "schtasks_process_creation";
// Branch 2: Security Event 4698 — Scheduled Task Created (audit log)
let TaskAuditEvents = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4698
| extend TaskName = extract(@"<TaskName>(.*?)</TaskName>", 1, EventData)
| extend TaskAction = extract(@"<Command>(.*?)</Command>", 1, EventData)
| extend TaskArguments = extract(@"<Arguments>(.*?)</Arguments>", 1, EventData)
| extend TaskPrincipal = extract(@"<UserId>(.*?)</UserId>", 1, EventData)
| extend RunAsSystem = TaskPrincipal has_any ("SYSTEM", "S-1-5-18")
| extend SuspiciousAction = (TaskAction has_any (
    "powershell", "wscript", "cscript", "mshta", "regsvr32",
    "rundll32", "cmd.exe", "certutil"
  ) or TaskArguments has_any (
    "AppData", "\\Temp\\", "\\Public\\", "ProgramData", "http", "EncodedCommand", "-enc"
  ))
| where SuspiciousAction
| extend SuspicionScore = toint(SuspiciousAction) + toint(RunAsSystem)
| project
    TimeGenerated, Computer, Account,
    TaskName, TaskAction, TaskArguments, TaskPrincipal,
    RunAsSystem, SuspiciousAction, SuspicionScore,
    DetectionBranch = "security_event_4698";
// Union both branches and sort
union SuspiciousTaskCreation, TaskAuditEvents
| sort by coalesce(Timestamp, TimeGenerated) desc

high severity medium confidence

Data Sources

Process: Process Creation Scheduled Job: Scheduled Job Creation Command: Command Execution Microsoft Defender for Endpoint Windows Security Event Log

Required Tables

DeviceProcessEvents SecurityEvent

False Positives

IT automation and configuration management tools (SCCM/CCMExec, Intune, Ansible WinRM) creating scheduled tasks for software deployment, patching, and policy enforcement — typically identifiable by ccmexec.exe or msiexec.exe as the initiating process
Monitoring and observability agents (Datadog, SolarWinds, Nagios, Elastic Agent) scheduling periodic data collection or health check tasks with actions in ProgramData or similar directories
Legitimate software products creating update or maintenance tasks at installation time (Adobe, Chrome, Java, antivirus products) — usually run from %APPDATA% or ProgramData with predictable task names and vendor-signed binaries
System administrators creating administrative maintenance scripts scheduled as SYSTEM for disk cleanup, log archival, certificate renewal, or backup operations
Development and CI/CD pipelines on build agents creating tasks as part of automated test execution or environment setup, often with PowerShell actions in Temp directories

Splunk

spl

// T1053 — Scheduled Task/Job: Multi-source SPL detection
(
  (index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
   (Image="*\\schtasks.exe" OR Image="*\\at.exe"))
  OR
  (index=wineventlog sourcetype="WinEventLog:Security" EventCode=4698)
)
| eval source_branch=case(
    sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "schtasks_sysmon",
    sourcetype="WinEventLog:Security" AND EventCode=4698, "task_created_4698",
    true(), "unknown"
  )
| eval RawText=coalesce(CommandLine, Message, "")
| eval RawTextLower=lower(RawText)
| eval RunAsSystem=if(
    match(RawTextLower, "(/ru\s+system|/ru\s+\"nt authority|<userid>s-1-5-18</userid>|userid.*system)"),
    1, 0
  )
| eval SuspiciousPath=if(
    match(RawTextLower, "(appdata|\\\\temp\\\\|\\\\tmp\\\\|\\\\public\\\\|c:\\\\programdata\\\\|users\\\\public)"),
    1, 0
  )
| eval RemoteTask=if(
    match(RawTextLower, "/s\s+[a-z0-9\-_\.]+"),
    1, 0
  )
| eval ScriptExecution=if(
    match(RawTextLower, "(powershell|wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|cmd\.exe|certutil\.exe)"),
    1, 0
  )
| eval EncodedPayload=if(
    match(RawTextLower, "(-encodedcommand|-enc\s|-e\s|-ec\s|frombase64string)"),
    1, 0
  )
| eval IsTaskCreationEvent=if(EventCode=4698, 1, 0)
| eval SuspicionScore=RunAsSystem + SuspiciousPath + RemoteTask + ScriptExecution + EncodedPayload + IsTaskCreationEvent
| where SuspicionScore > 0
| eval TaskName=coalesce(
    mvindex(split(RawText, "Task Name:"), 1),
    ""
  )
| table
    _time, host, User, source_branch,
    Image, CommandLine, ParentImage, ParentCommandLine,
    EventCode, TaskName,
    RunAsSystem, SuspiciousPath, RemoteTask, ScriptExecution, EncodedPayload, IsTaskCreationEvent,
    SuspicionScore
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Scheduled Job: Scheduled Job Creation Sysmon Event ID 1 Windows Security Event 4698 Windows TaskScheduler Operational Log

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

IT automation and configuration management tools (SCCM/CCMExec, Intune, Ansible WinRM) creating scheduled tasks for software deployment, patching, and policy enforcement
Monitoring and observability agents (Datadog, SolarWinds, Nagios, Elastic Agent) scheduling periodic data collection or health check tasks with actions in ProgramData or similar directories
Legitimate software products creating update or maintenance tasks at installation time (Adobe, Chrome, Java, antivirus products)
System administrators creating administrative maintenance scripts scheduled as SYSTEM for disk cleanup, log archival, certificate renewal, or backup operations
Development and CI/CD pipelines on build agents creating tasks as part of automated test execution or environment setup

Elastic Security (EQL)

eql

/* Branch 1: schtasks.exe / at.exe process creation with suspicious indicators */
process where host.os.type == "windows" and
  event.type == "start" and
  process.name : ("schtasks.exe", "at.exe") and
  process.command_line : ("* /create *", "* /change *", "*-create *", "*-change *") and
  (
    process.command_line : ("*/ru SYSTEM*", "*/ru \"NT AUTHORITY*") or
    process.command_line : ("*AppData*", "*\\Temp\\*", "*\\Public\\*", "*ProgramData*", "*Windows\\Temp*") or
    process.command_line : ("*/s *") or
    process.command_line : ("*powershell*", "*wscript*", "*cscript*", "*mshta*", "*regsvr32*", "*rundll32*", "*certutil*") or
    process.command_line : ("*-EncodedCommand*", "*-enc *", "*-e *", "*FromBase64String*")
  )

/* Branch 2: Windows Security Event 4698 - Scheduled Task Created with suspicious content */
/* Deploy as a second rule targeting winlogbeat-* or logs-windows.security indices */
/*
any where host.os.type == "windows" and
  event.code == "4698" and
  (
    winlog.event_data.TaskContent : ("*powershell*", "*wscript*", "*cscript*", "*mshta*", "*regsvr32*", "*rundll32*", "*certutil*") or
    winlog.event_data.TaskContent : ("*AppData*", "*\\Temp\\*", "*\\Public\\*", "*ProgramData*") or
    winlog.event_data.TaskContent : ("*S-1-5-18*", "*\\SYSTEM*", "*EncodedCommand*", "*FromBase64String*")
  )
*/

high severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat (Windows Security Event Log) Elastic Agent (Windows integration)

Required Tables

logs-endpoint.events.process-* winlogbeat-* logs-windows.security-*

False Positives

Legitimate IT management platforms (SCCM, Ansible, PDQ Deploy) that create scheduled tasks using PowerShell runners during software deployment workflows
Software installers (Adobe, antivirus vendors, backup agents such as Veeam) that schedule update or maintenance tasks pointing to AppData or ProgramData staging paths
Authorized sysadmin scripts invoking schtasks.exe /create /ru SYSTEM for service account maintenance tasks, and remote administration via /s targeting known servers

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  LOGSOURCENAME(logsourceid) AS log_source,
  sourceip AS source_ip,
  username,
  QIDNAME(qid) AS event_name,
  CATEGORYNAME(category) AS category_name,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process_name
FROM events
WHERE
  LOGSOURCETYPEID(devicetype) IN (
    12,   /* Microsoft Windows Security Event Log */
    145   /* Microsoft Windows Sysmon */
  )
  AND starttime > (CURRENT_TIMESTAMP - 86400000)
  AND (
    /* Branch 1: schtasks.exe or at.exe process creation with suspicious indicators */
    (
      (
        LOWER("Process Name") LIKE '%schtasks.exe%'
        OR LOWER("Process Name") LIKE '%at.exe%'
      )
      AND (
        LOWER("Command") LIKE '%/create%'
        OR LOWER("Command") LIKE '%/change%'
      )
      AND (
        LOWER("Command") LIKE '%/ru system%'
        OR LOWER("Command") LIKE '%nt authority%'
        OR LOWER("Command") LIKE '%appdata%'
        OR LOWER("Command") LIKE '%\\temp\\%'
        OR LOWER("Command") LIKE '%\\public\\%'
        OR LOWER("Command") LIKE '%programdata%'
        OR LOWER("Command") LIKE '%windows\\temp%'
        OR LOWER("Command") LIKE '%powershell%'
        OR LOWER("Command") LIKE '%wscript%'
        OR LOWER("Command") LIKE '%cscript%'
        OR LOWER("Command") LIKE '%mshta%'
        OR LOWER("Command") LIKE '%regsvr32%'
        OR LOWER("Command") LIKE '%rundll32%'
        OR LOWER("Command") LIKE '%certutil%'
        OR LOWER("Command") LIKE '%/s %'
        OR LOWER("Command") LIKE '%-encodedcommand%'
        OR LOWER("Command") LIKE '%-enc %'
        OR LOWER("Command") LIKE '%frombase64string%'
      )
    )
    /* Branch 2: Windows Security Event 4698 — Scheduled Task Created */
    OR (
      LOWER(QIDNAME(qid)) LIKE '%4698%'
      OR LOWER(QIDNAME(qid)) LIKE '%scheduled task was created%'
    )
  )
ORDER BY starttime DESC

high severity medium confidence

Data Sources

Windows Security Event Log (LOGSOURCETYPEID 12) Microsoft Windows Sysmon (LOGSOURCETYPEID 145)

Required Tables

events

False Positives

Enterprise patch management solutions (WSUS, SCCM, Tanium) invoking schtasks.exe with PowerShell-based runner commands during OS update and compliance workflows
Backup products (Veeam Backup, Windows Server Backup) registering scheduled tasks under SYSTEM in ProgramData paths as part of normal installation and job scheduling
Monitoring agents and endpoint security tools scheduling self-update or telemetry collection tasks via schtasks during agent installation or policy refresh cycles

Sumo Logic CSE

sql

(_sourceCategory="*windows*" OR _sourceCategory="*sysmon*" OR _sourceCategory="*winlogbeat*")
| where EventCode in ("1", "4698") OR EventID in ("1", "4698")
| if (isEmpty(CommandLine), Message, CommandLine) as RawText
| toLowerCase(RawText) as RawTextLower
| where
  (
    /* Branch 1: schtasks / at.exe process creation with at least one suspicious indicator */
    (
      (RawTextLower matches "*schtasks.exe*" OR RawTextLower matches "*\\at.exe*")
      AND (RawTextLower matches "*/create*" OR RawTextLower matches "*/change*")
      AND (
           RawTextLower matches "*/ru system*"
        OR RawTextLower matches "*appdata*"
        OR RawTextLower matches "*\\temp\\*"
        OR RawTextLower matches "*\\public\\*"
        OR RawTextLower matches "*programdata*"
        OR RawTextLower matches "*powershell*"
        OR RawTextLower matches "*wscript*"
        OR RawTextLower matches "*cscript*"
        OR RawTextLower matches "*mshta*"
        OR RawTextLower matches "*regsvr32*"
        OR RawTextLower matches "*rundll32*"
        OR RawTextLower matches "*certutil*"
        OR RawTextLower matches "*/s *"
        OR RawTextLower matches "*-encodedcommand*"
        OR RawTextLower matches "*frombase64string*"
      )
    )
    /* Branch 2: Event 4698 — Scheduled Task Created (all instances) */
    OR (EventCode = "4698" OR EventID = "4698")
  )
| if (RawTextLower matches "*/ru system*" OR RawTextLower matches "*nt authority*", 1, 0) as RunAsSystem
| if (RawTextLower matches "*appdata*" OR RawTextLower matches "*\\temp\\*" OR RawTextLower matches "*\\public\\*" OR RawTextLower matches "*programdata*" OR RawTextLower matches "*windows\\temp*", 1, 0) as SuspiciousPath
| if (RawTextLower matches "*/s *", 1, 0) as RemoteTask
| if (RawTextLower matches "*powershell*" OR RawTextLower matches "*wscript*" OR RawTextLower matches "*cscript*" OR RawTextLower matches "*mshta*" OR RawTextLower matches "*regsvr32*" OR RawTextLower matches "*rundll32*" OR RawTextLower matches "*certutil*", 1, 0) as ScriptExecution
| if (RawTextLower matches "*-encodedcommand*" OR RawTextLower matches "*frombase64string*", 1, 0) as EncodedPayload
| if (EventCode = "4698" OR EventID = "4698", 1, 0) as IsTaskCreatedEvent
| RunAsSystem + SuspiciousPath + RemoteTask + ScriptExecution + EncodedPayload + IsTaskCreatedEvent as SuspicionScore
| fields _time, host, User, EventCode, EventID, CommandLine, Image, ParentImage, ParentCommandLine, RunAsSystem, SuspiciousPath, RemoteTask, ScriptExecution, EncodedPayload, IsTaskCreatedEvent, SuspicionScore
| sort by _time desc

high severity high confidence

Data Sources

Windows Security Event Log (_sourceCategory=*windows*) Microsoft-Windows-Sysmon/Operational (_sourceCategory=*sysmon*) Winlogbeat (_sourceCategory=*winlogbeat*)

Required Tables

_sourceCategory=*windows*, _sourceCategory=*sysmon*, _sourceCategory=*winlogbeat*

False Positives

IT automation platforms (Chef, Puppet, Ansible) invoking schtasks.exe with PowerShell runners during node configuration runs — these may score high across multiple indicators simultaneously
Corporate endpoint management agents (Intune, Tanium) creating scheduled tasks pointing to ProgramData with SYSTEM privileges as part of normal software deployment pipelines
Security product self-healing and certificate validation tasks executing certutil.exe or cmd.exe under SYSTEM context for CRL checks or update enforcement

Google Chronicle / SecOps

yaral

rule t1053_scheduled_task_process_creation {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects suspicious schtasks.exe or at.exe process launches with SYSTEM context, suspicious paths, remote targeting, or script execution — indicative of T1053 Scheduled Task abuse"
    mitre_attack_technique = "T1053"
    mitre_attack_tactic = "Persistence, Privilege Escalation, Execution"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.file.full_path = /(?i)(\\schtasks\.exe$|\\at\.exe$)/
    $e.target.process.command_line = /(?i)(\/create|\/change|-create|-change)/
    (
      $e.target.process.command_line = /(?i)(\/ru\s+system|nt\s+authority\\\\system)/ or
      $e.target.process.command_line = /(?i)(appdata|\\temp\\|\\public\\|programdata|windows\\temp)/ or
      $e.target.process.command_line = /(?i)(powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|certutil\.exe)/ or
      $e.target.process.command_line = /\/s\s+[a-zA-Z0-9\-_.]+/ or
      $e.target.process.command_line = /(?i)(-encodedcommand|-enc\s|-e\s|-ec\s|frombase64string)/
    )

  condition:
    $e
}

rule t1053_scheduled_task_created_event_4698 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects Windows Security Event 4698 (Scheduled Task Created) where the task action references script interpreters, suspicious paths, or encoded payloads — indicative of T1053 persistence"
    mitre_attack_technique = "T1053"
    mitre_attack_tactic = "Persistence, Privilege Escalation, Execution"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"

  events:
    $e.metadata.event_type = "GENERIC_EVENT"
    $e.metadata.product_event_type = "4698"
    (
      $e.target.resource.name = /(?i)(powershell|wscript|cscript|mshta|regsvr32|rundll32|certutil)/ or
      $e.principal.user.userid = /(?i)(^system$|s-1-5-18)/ or
      $e.target.resource.attribute.labels["task_action"] = /(?i)(appdata|\\temp\\|\\public\\|programdata|encodedcommand|frombase64string)/
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle (Windows endpoint telemetry via Forwarder) Windows Event Forwarding to Chronicle UDM ingestion Chronicle SIEM UDM normalized events

Required Tables

UDM events (PROCESS_LAUNCH, GENERIC_EVENT with product_event_type 4698)

False Positives

Enterprise software deployment via SCCM or Microsoft Intune registering scheduled PowerShell runner tasks under SYSTEM context during device provisioning and policy enforcement
Third-party AV and EDR products scheduling integrity check or update tasks referencing certutil.exe or scripts in ProgramData as part of normal agent lifecycle management
Developer workstations running build automation or local CI scripts (MSBuild, npm, Gradle post-install hooks) that create schtasks entries with cmd.exe runners pointing to TEMP staging paths

CrowdStrike LogScale (CQL)

cql

// T1053 — Scheduled Task/Job: CrowdStrike Falcon LogScale detection
// Targets ProcessRollup2 events for schtasks.exe and at.exe with suspicious indicators

#event_simpleName in ["ProcessRollup2", "SyntheticProcessRollup2"]
| ImageFileName = /(?i)(\\schtasks\.exe$|\\at\.exe$)/
| CommandLine = /(?i)(\/create|\/change|-create|-change)/
| CommandLine = /(?i)(\/ru\s+system|nt\s+authority|appdata|\\temp\\|\\public\\|programdata|windows\\temp|powershell|wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|certutil\.exe|\/s\s+\S+|-encodedcommand|-enc\s|frombase64string)/
| RunAsSystem := if(CommandLine = /(?i)(\/ru\s+system|nt\s+authority\\\\system)/, "true", "false")
| SuspiciousPath := if(CommandLine = /(?i)(appdata|\\\\temp\\\\|\\\\public\\\\|programdata|windows\\\\temp)/, "true", "false")
| RemoteTask := if(CommandLine = /(?i)\/s\s+[a-zA-Z0-9\-_.]+/, "true", "false")
| ScriptExecution := if(CommandLine = /(?i)(powershell|wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|certutil\.exe)/, "true", "false")
| EncodedPayload := if(CommandLine = /(?i)(-encodedcommand|-enc\s|frombase64string)/, "true", "false")
| select([_time, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, RunAsSystem, SuspiciousPath, RemoteTask, ScriptExecution, EncodedPayload])
| sort(field=_time, order=desc, limit=1000)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection (ProcessRollup2) CrowdStrike Falcon Insight XDR CrowdStrike Falcon LogScale Windows collector (for Event 4698 coverage)

Required Tables

ProcessRollup2 SyntheticProcessRollup2

False Positives

CrowdStrike Falcon sensor itself and other CrowdStrike platform processes that invoke schtasks.exe during sensor updates, policy enforcement, or prevention policy application
Large-scale enterprise orchestration tools (Terraform, Ansible, Salt) executing under domain admin or SYSTEM credentials that schedule PowerShell-based tasks on remote hosts using the /s flag against known management servers
Software packaging and CI/CD pipelines invoking schtasks.exe to register post-install hooks or test fixture teardown tasks pointing to TEMP paths on developer or build agent machines

Last updated: 2026-04-16 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1053 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Scheduled Task/Job

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (5)

Same Tactic: Execution

Popular Detections