T1053.005 Elastic Security · Elastic

Detect Scheduled Task in Elastic Security

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. Attackers use schtasks.exe, the Task Scheduler GUI, .NET wrappers, WMI (via Win32_ScheduledJob or PS_ScheduledTask), or direct registry manipulation to create, modify, or delete scheduled tasks. Tasks can run under any account context including SYSTEM, enabling privilege escalation. Adversaries also create hidden tasks by deleting the Security Descriptor (SD) registry value, making tasks invisible to standard enumeration tools.

MITRE ATT&CK

Tactic
Execution Persistence Privilege Escalation
Technique
T1053 Scheduled Task/Job
Sub-technique
T1053.005 Scheduled Task
Canonical reference
https://attack.mitre.org/techniques/T1053/005/

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name with maxspan=5m
[
  any where event.category == "process" and
  process.name : "schtasks.exe" and
  (
    process.args : ("/create", "/change") and
    (
      process.args : ("*\\AppData\\*", "*\\Temp\\*", "*\\ProgramData\\*", "*\\Public\\*", "%temp%", "%appdata%", "%public%") or
      process.args : ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "msbuild.exe", "wmic.exe", "msiexec.exe") or
      process.args : ("/ru system", "/ru SYSTEM", "/ru \"NT AUTHORITY\\SYSTEM\"") or
      process.args : "/s " or
      process.args : ("/sc onlogon", "/sc onstartup", "/sc onstart") or
      process.args : ("/sc minute", "/sc hourly") or
      process.parent.name : ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "msiexec.exe", "wmic.exe", "winword.exe", "excel.exe", "outlook.exe", "acrord32.exe", "msedge.exe", "chrome.exe", "firefox.exe")
    )
  )
]

OR

sequence by host.name with maxspan=1m
[
  any where event.category == "registry" and
  event.type in ("creation", "change") and
  registry.path : "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\*" and
  not process.name : ("svchost.exe", "taskeng.exe", "taskhostw.exe")
]
high severity high confidence

Detects Windows Scheduled Task abuse (T1053.005) via schtasks.exe process creation with suspicious arguments or parent processes, and direct Task Scheduler registry manipulation. Covers schtasks /create and /change operations targeting suspicious locations or binaries, high-privilege task scheduling (/ru SYSTEM), remote task creation (/s), logon/startup triggers, high-frequency scheduling, suspicious parent processes (Office apps, browsers, script engines), and unauthorized registry writes to the TaskCache key.

Data Sources

Windows Sysmon (Event ID 1 - Process Create)Windows Security Log (Event ID 4688 - Process Create, 4698 - Task Created, 4702 - Task Updated)Elastic Endpoint Security agentWindows Registry events (Sysmon Event ID 12/13)

Required Tables

logs-endpoint.events.process-*logs-endpoint.events.registry-*logs-windows.sysmon_operational-*logs-system.security-*

False Positives & Tuning

  • Legitimate software installers (e.g., Adobe, Microsoft updaters) that use schtasks.exe to register maintenance tasks in ProgramData or AppData during installation.
  • System administrators and IT automation tools (Ansible, SCCM, PDQ Deploy) creating scheduled tasks via scripts, which may run under SYSTEM context or use PowerShell as a parent process.
  • Security and monitoring software (e.g., CrowdStrike, Carbon Black, Qualys) that creates recurring scheduled tasks using schtasks.exe with elevated privileges.
  • Developer CI/CD pipelines running on Windows build agents that invoke schtasks.exe as part of automated build or deployment scripts.
Download portable Sigma rule (.yml)

Other platforms for T1053.005

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Persistence Scheduled Task Running as SYSTEM

    Expected signal: Sysmon Event ID 1: Process Create with Image=schtasks.exe, CommandLine containing '/create', '/tn WindowsSystemCheck', '/ru SYSTEM', '/sc onstart'. Security Event ID 4688 (if command line auditing enabled). Security Event ID 4698 (Scheduled Task Created) in Security log with task XML showing SYSTEM principal. Registry key created under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\ (ONSTART trigger).

  2. Test 2Scheduled Task with PowerShell Download Cradle Action

    Expected signal: Sysmon Event ID 1: schtasks.exe with full command line including the PowerShell cradle. Security Event ID 4698 with task XML showing PowerShell action with hidden window and download cradle. Task XML file written to C:\Windows\System32\Tasks\MicrosoftEdgeUpdateCheck. Registry entries created under TaskCache\Logon\.

  3. Test 3Scheduled Task Created via PowerShell (Invoke-CimMethod)

    Expected signal: Sysmon Event ID 1: powershell.exe process with command line containing Register-ScheduledTask. Security Event ID 4698: Scheduled Task Created (WmiTaskTest). Sysmon Event ID 13: Registry value written to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\ by powershell.exe (not svchost.exe). Task XML file written to C:\Windows\System32\Tasks\WmiTaskTest.

  4. Test 4Hidden Scheduled Task via SD Registry Value Deletion

    Expected signal: Sysmon Event ID 1: schtasks.exe creating the task. Sysmon Event ID 14 (Registry Key/Value Deleted): TargetObject = HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\HiddenPersistTask\SD, Image = reg.exe. Security Event ID 4698: task created. After SD deletion, task is absent from schtasks /query but still active in TaskCache.

  5. Test 5Remote Scheduled Task Creation for Lateral Movement

    Expected signal: Sysmon Event ID 1: schtasks.exe with CommandLine containing '/s 127.0.0.1', '/ru SYSTEM', '/create'. Security Event ID 4698: Scheduled Task Created on target (local) system. Network connection attempt to localhost Task Scheduler RPC interface (port 135/dynamic RPC). Security Event ID 4648 (Logon with explicit credentials) if alternate credentials used.

Last updated: 2026-04-16 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1053.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1053Scheduled Task/Job

Related Sub-techniques

T1053.002AtT1053.003CronT1053.006Systemd TimersT1053.007Container Orchestration Job

Related Techniques

T1053Scheduled Task/JobT1059.001PowerShellT1059.003Windows Command ShellT1047Windows Management InstrumentationT1564.001Hidden Files and DirectoriesT1564Hide ArtifactsT1078Valid AccountsT1021.002SMB/Windows Admin SharesT1218System Binary Proxy ExecutionT1055Process InjectionT1112Modify RegistryT1562.001Disable or Modify Tools

Same Tactic: Execution

Popular Detections