T1053.005 Google Chronicle · YARA-L

Detect Scheduled Task in Google Chronicle

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. Attackers use schtasks.exe, the Task Scheduler GUI, .NET wrappers, WMI (via Win32_ScheduledJob or PS_ScheduledTask), or direct registry manipulation to create, modify, or delete scheduled tasks. Tasks can run under any account context including SYSTEM, enabling privilege escalation. Adversaries also create hidden tasks by deleting the Security Descriptor (SD) registry value, making tasks invisible to standard enumeration tools.

MITRE ATT&CK

Tactic
Execution Persistence Privilege Escalation
Technique
T1053 Scheduled Task/Job
Sub-technique
T1053.005 Scheduled Task
Canonical reference
https://attack.mitre.org/techniques/T1053/005/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule mitre_t1053_005_scheduled_task_abuse {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects Windows Scheduled Task abuse via schtasks.exe with suspicious arguments or parent processes, and direct Task Scheduler registry manipulation (T1053.005)"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Persistence, Privilege Escalation"
    mitre_attack_technique = "T1053.005"
    reference = "https://attack.mitre.org/techniques/T1053/005/"
    platform = "Windows"
    version = "1.0"
    created = "2026-04-16"

  events:
    // Match schtasks.exe process creation events
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.file.full_path = /(?i)schtasks\.exe$/
    (
      // Branch 1: Suspicious schtasks arguments — create or change with indicators
      (
        (
          re.regex($e.target.process.command_line, `(?i)/create|/change`)
        )
        and
        (
          re.regex($e.target.process.command_line, `(?i)\\AppData\\|\\Temp\\|\\ProgramData\\|\\Public\\|%temp%|%appdata%|%public%`) or
          re.regex($e.target.process.command_line, `(?i)cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|msbuild\.exe|wmic\.exe|msiexec\.exe`) or
          re.regex($e.target.process.command_line, `(?i)/ru\s+(system|"system"|"nt authority\\system")`) or
          re.regex($e.target.process.command_line, `(?i)/s\s+`) or
          re.regex($e.target.process.command_line, `(?i)/sc\s+(onlogon|onstartup|onstart)`) or
          re.regex($e.target.process.command_line, `(?i)/sc\s+(minute|hourly)`)
        )
      )
      or
      // Branch 2: Suspicious parent process spawning schtasks
      re.regex($e.principal.process.file.full_path, `(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|msiexec\.exe|wmic\.exe|winword\.exe|excel\.exe|outlook\.exe|acrord32\.exe|msedge\.exe|chrome\.exe|firefox\.exe)$`)
    )

    $e.principal.hostname = $hostname

  condition:
    $e
}

rule mitre_t1053_005_scheduled_task_registry_manipulation {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects unauthorized Task Scheduler registry writes to TaskCache key, indicating hidden or programmatically created scheduled tasks (T1053.005)"
    severity = "MEDIUM"
    priority = "MEDIUM"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1053.005"
    reference = "https://attack.mitre.org/techniques/T1053/005/"
    platform = "Windows"
    version = "1.0"
    created = "2026-04-16"

  events:
    $r.metadata.event_type = "REGISTRY_MODIFICATION"
    re.regex($r.target.registry.registry_key, `(?i)\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\`)
    not re.regex($r.principal.process.file.full_path, `(?i)(svchost\.exe|taskeng\.exe|taskhostw\.exe)$`)

    $r.principal.hostname = $hostname

  condition:
    $r
}
high severity high confidence

Two complementary YARA-L 2.0 rules for detecting Windows Scheduled Task abuse (T1053.005). Rule 1 targets schtasks.exe process launch events with suspicious command-line arguments (suspicious file locations, LOLBin invocations, SYSTEM run-as context, remote task creation, logon/startup triggers, high-frequency scheduling) or suspicious parent processes (Office apps, browsers, script interpreters). Rule 2 detects unauthorized Task Scheduler registry writes to the TaskCache key from processes other than legitimate scheduler infrastructure (svchost, taskeng, taskhostw), which can indicate hidden task creation or direct registry manipulation used to evade standard enumeration.

Data Sources

Google Chronicle UDM via Windows Event Forwarding (WEF)Sysmon logs forwarded to Chronicle (Event ID 1 - Process Create, Event ID 12/13 - Registry)Windows Security Event Log via Chronicle ingestion (Event ID 4688, 4698, 4702)Chronicle Endpoint Detection sensor

Required Tables

UDM events with metadata.event_type = PROCESS_LAUNCHUDM events with metadata.event_type = REGISTRY_MODIFICATION

False Positives & Tuning

  • Legitimate software installation processes that register scheduled tasks via PowerShell or script engines as part of their setup routines — particularly common with enterprise software suites.
  • System management tools (SCCM, Group Policy) that write directly to the Task Scheduler registry keys to deploy tasks across managed endpoints.
  • Security software such as EDR agents and antivirus solutions that create high-frequency scheduled tasks for signature updates or health telemetry, potentially triggering the /sc minute or /sc hourly indicators.
  • Developer workstations where build tools (MSBuild) or automation frameworks invoke schtasks.exe as part of CI pipeline test fixtures or developer environment setup scripts.
Download portable Sigma rule (.yml)

Other platforms for T1053.005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Persistence Scheduled Task Running as SYSTEM

    Expected signal: Sysmon Event ID 1: Process Create with Image=schtasks.exe, CommandLine containing '/create', '/tn WindowsSystemCheck', '/ru SYSTEM', '/sc onstart'. Security Event ID 4688 (if command line auditing enabled). Security Event ID 4698 (Scheduled Task Created) in Security log with task XML showing SYSTEM principal. Registry key created under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\ (ONSTART trigger).

  2. Test 2Scheduled Task with PowerShell Download Cradle Action

    Expected signal: Sysmon Event ID 1: schtasks.exe with full command line including the PowerShell cradle. Security Event ID 4698 with task XML showing PowerShell action with hidden window and download cradle. Task XML file written to C:\Windows\System32\Tasks\MicrosoftEdgeUpdateCheck. Registry entries created under TaskCache\Logon\.

  3. Test 3Scheduled Task Created via PowerShell (Invoke-CimMethod)

    Expected signal: Sysmon Event ID 1: powershell.exe process with command line containing Register-ScheduledTask. Security Event ID 4698: Scheduled Task Created (WmiTaskTest). Sysmon Event ID 13: Registry value written to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\ by powershell.exe (not svchost.exe). Task XML file written to C:\Windows\System32\Tasks\WmiTaskTest.

  4. Test 4Hidden Scheduled Task via SD Registry Value Deletion

    Expected signal: Sysmon Event ID 1: schtasks.exe creating the task. Sysmon Event ID 14 (Registry Key/Value Deleted): TargetObject = HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\HiddenPersistTask\SD, Image = reg.exe. Security Event ID 4698: task created. After SD deletion, task is absent from schtasks /query but still active in TaskCache.

  5. Test 5Remote Scheduled Task Creation for Lateral Movement

    Expected signal: Sysmon Event ID 1: schtasks.exe with CommandLine containing '/s 127.0.0.1', '/ru SYSTEM', '/create'. Security Event ID 4698: Scheduled Task Created on target (local) system. Network connection attempt to localhost Task Scheduler RPC interface (port 135/dynamic RPC). Security Event ID 4648 (Logon with explicit credentials) if alternate credentials used.

Last updated: 2026-04-16 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1053.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1053Scheduled Task/Job

Related Sub-techniques

T1053.002AtT1053.003CronT1053.006Systemd TimersT1053.007Container Orchestration Job

Related Techniques

T1053Scheduled Task/JobT1059.001PowerShellT1059.003Windows Command ShellT1047Windows Management InstrumentationT1564.001Hidden Files and DirectoriesT1564Hide ArtifactsT1078Valid AccountsT1021.002SMB/Windows Admin SharesT1218System Binary Proxy ExecutionT1055Process InjectionT1112Modify RegistryT1562.001Disable or Modify Tools

Same Tactic: Execution

Popular Detections