Which SIEM platforms have a T1053.005 detection rule?

df00tech provides T1053.005 (Scheduled Task) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Scheduled Task (T1053.005)?

Detecting Scheduled Task requires the following data sources: Process: Process Creation, Registry: Registry Key Creation, Registry: Registry Value Modification, Microsoft Defender for Endpoint.

What severity and confidence is the T1053.005 detection?

The T1053.005 detection is rated high severity with high confidence.

What are common false positives for T1053.005?

Common false positives for T1053.005 include: Software installers and patch management tools (SCCM, Intune, PDQ Deploy) that create scheduled tasks as part of software deployment workflows; Legitimate IT automation and monitoring agents (SolarWinds, Nagios, Datadog, Ansible) that create or modify scheduled tasks for health checks and data collection; Antivirus and endpoint security products creating scheduled tasks for definition updates, scans, and health monitoring.

T1053.005 IBM QRadar · QRadar

Detect Scheduled Task in IBM QRadar

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. Attackers use schtasks.exe, the Task Scheduler GUI, .NET wrappers, WMI (via Win32_ScheduledJob or PS_ScheduledTask), or direct registry manipulation to create, modify, or delete scheduled tasks. Tasks can run under any account context including SYSTEM, enabling privilege escalation. Adversaries also create hidden tasks by deleting the Security Descriptor (SD) registry value, making tasks invisible to standard enumeration tools.

MITRE ATT&CK

Tactic: Execution Persistence Privilege Escalation
Technique: T1053 Scheduled Task/Job
Sub-technique: T1053.005 Scheduled Task
Canonical reference: https://attack.mitre.org/techniques/T1053/005/

QRadar Detection Query

IBM QRadar (QRadar)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  QIDNAME(qid) AS event_name,
  sourceip,
  username,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process,
  "Task Name" AS task_name,
  CASE
    WHEN LOWER("Command") LIKE '%/create%' OR LOWER("Command") LIKE '%/change%' THEN 1 ELSE 0 END +
  CASE
    WHEN LOWER("Command") LIKE '%/ru system%' OR LOWER("Command") LIKE '%nt authority\\system%' THEN 1 ELSE 0 END +
  CASE
    WHEN LOWER("Command") LIKE '%appdata%' OR LOWER("Command") LIKE '%\\temp\\%'
      OR LOWER("Command") LIKE '%programdata%' OR LOWER("Command") LIKE '%\\public\\%' THEN 1 ELSE 0 END +
  CASE
    WHEN LOWER("Command") LIKE '%powershell%' OR LOWER("Command") LIKE '%cmd.exe%'
      OR LOWER("Command") LIKE '%wscript%' OR LOWER("Command") LIKE '%cscript%'
      OR LOWER("Command") LIKE '%mshta%' OR LOWER("Command") LIKE '%rundll32%'
      OR LOWER("Command") LIKE '%regsvr32%' OR LOWER("Command") LIKE '%certutil%'
      OR LOWER("Command") LIKE '%bitsadmin%' OR LOWER("Command") LIKE '%msbuild%'
      OR LOWER("Command") LIKE '%wmic%' OR LOWER("Command") LIKE '%msiexec%' THEN 1 ELSE 0 END +
  CASE
    WHEN LOWER("Command") LIKE '%/sc onlogon%' OR LOWER("Command") LIKE '%/sc onstartup%'
      OR LOWER("Command") LIKE '%/sc onstart%' THEN 1 ELSE 0 END +
  CASE
    WHEN LOWER("Command") LIKE '%/sc minute%' OR LOWER("Command") LIKE '%/sc hourly%' THEN 1 ELSE 0 END +
  CASE
    WHEN LOWER("Command") LIKE '%/s %' THEN 1 ELSE 0 END +
  CASE
    WHEN LOWER("Parent Process Name") LIKE '%powershell%' OR LOWER("Parent Process Name") LIKE '%wscript%'
      OR LOWER("Parent Process Name") LIKE '%cscript%' OR LOWER("Parent Process Name") LIKE '%mshta%'
      OR LOWER("Parent Process Name") LIKE '%rundll32%' OR LOWER("Parent Process Name") LIKE '%winword%'
      OR LOWER("Parent Process Name") LIKE '%excel%' OR LOWER("Parent Process Name") LIKE '%outlook%'
      OR LOWER("Parent Process Name") LIKE '%chrome%' OR LOWER("Parent Process Name") LIKE '%firefox%'
      OR LOWER("Parent Process Name") LIKE '%msedge%' THEN 2 ELSE 0 END +
  CASE
    WHEN eventid IN (4698, 4702) THEN 2 ELSE 0 END
  AS suspicion_score,
  eventid
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (
    12 /* Microsoft Windows Security Event Log */,
    25 /* Sysmon */
  )
  AND starttime > NOW() - 24 HOURS
  AND (
    (LOWER("Process Name") LIKE '%schtasks.exe%' AND eventid IN (1, 4688))
    OR eventid IN (4698, 4702)
  )
  AND (
    (
      (LOWER("Command") LIKE '%/create%' OR LOWER("Command") LIKE '%/change%')
      AND (
        LOWER("Command") LIKE '%appdata%'
        OR LOWER("Command") LIKE '%\\temp\\%'
        OR LOWER("Command") LIKE '%programdata%'
        OR LOWER("Command") LIKE '%\\public\\%'
        OR LOWER("Command") LIKE '%powershell%'
        OR LOWER("Command") LIKE '%cmd.exe%'
        OR LOWER("Command") LIKE '%wscript%'
        OR LOWER("Command") LIKE '%cscript%'
        OR LOWER("Command") LIKE '%mshta%'
        OR LOWER("Command") LIKE '%rundll32%'
        OR LOWER("Command") LIKE '%regsvr32%'
        OR LOWER("Command") LIKE '%certutil%'
        OR LOWER("Command") LIKE '%bitsadmin%'
        OR LOWER("Command") LIKE '%/ru system%'
        OR LOWER("Command") LIKE '%/sc onlogon%'
        OR LOWER("Command") LIKE '%/sc minute%'
        OR LOWER("Command") LIKE '%/s %'
      )
    )
    OR LOWER("Parent Process Name") LIKE '%powershell%'
    OR LOWER("Parent Process Name") LIKE '%wscript%'
    OR LOWER("Parent Process Name") LIKE '%cscript%'
    OR LOWER("Parent Process Name") LIKE '%mshta%'
    OR LOWER("Parent Process Name") LIKE '%rundll32%'
    OR LOWER("Parent Process Name") LIKE '%winword%'
    OR LOWER("Parent Process Name") LIKE '%excel%'
    OR LOWER("Parent Process Name") LIKE '%outlook%'
    OR LOWER("Parent Process Name") LIKE '%chrome%'
    OR LOWER("Parent Process Name") LIKE '%firefox%'
    OR LOWER("Parent Process Name") LIKE '%msedge%'
    OR eventid IN (4698, 4702)
  )
ORDER BY suspicion_score DESC, starttime DESC

high severity high confidence

Detects Windows Scheduled Task abuse (T1053.005) by correlating Windows Security Event Log entries (EventIDs 4688, 4698, 4702) and Sysmon process creation events involving schtasks.exe. Calculates a suspicion score based on suspicious command-line arguments (run-as SYSTEM, suspicious binary paths, logon/startup triggers, high-frequency scheduling, remote task creation), suspicious parent processes (Office applications, browsers, script interpreters), and native task scheduler audit events (4698=task created, 4702=task modified). Results are ranked by suspicion score to surface highest-confidence detections first.

Data Sources

Microsoft Windows Security Event Log (EventIDs 4688, 4698, 4702)Sysmon Operational Log (EventID 1 - Process Create)QRadar Windows Custom Properties for Command, Parent Process Name, Task Name

Required Tables

events

False Positives & Tuning

Enterprise software deployment tools such as SCCM, Intune, or PDQ Deploy that programmatically create scheduled tasks for software maintenance using schtasks.exe under SYSTEM context.
Legitimate scheduled tasks created by system administrators via PowerShell scripts or automation frameworks (Ansible, Puppet) where PowerShell is the parent process of schtasks.exe.
Software update mechanisms from vendors like Adobe, Java, or Microsoft Teams that register scheduled tasks in AppData or ProgramData directories during software installation or update cycles.
Monitoring and backup agents (Veeam, Acronis, SolarWinds) that create high-frequency scheduled tasks (minute/hourly) for health checks or incremental backups.

Download portable Sigma rule (.yml)

Other platforms for T1053.005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Create Persistence Scheduled Task Running as SYSTEM
Expected signal: Sysmon Event ID 1: Process Create with Image=schtasks.exe, CommandLine containing '/create', '/tn WindowsSystemCheck', '/ru SYSTEM', '/sc onstart'. Security Event ID 4688 (if command line auditing enabled). Security Event ID 4698 (Scheduled Task Created) in Security log with task XML showing SYSTEM principal. Registry key created under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\ (ONSTART trigger).
Test 2Scheduled Task with PowerShell Download Cradle Action
Expected signal: Sysmon Event ID 1: schtasks.exe with full command line including the PowerShell cradle. Security Event ID 4698 with task XML showing PowerShell action with hidden window and download cradle. Task XML file written to C:\Windows\System32\Tasks\MicrosoftEdgeUpdateCheck. Registry entries created under TaskCache\Logon\.
Test 3Scheduled Task Created via PowerShell (Invoke-CimMethod)
Expected signal: Sysmon Event ID 1: powershell.exe process with command line containing Register-ScheduledTask. Security Event ID 4698: Scheduled Task Created (WmiTaskTest). Sysmon Event ID 13: Registry value written to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\ by powershell.exe (not svchost.exe). Task XML file written to C:\Windows\System32\Tasks\WmiTaskTest.
Test 4Hidden Scheduled Task via SD Registry Value Deletion
Expected signal: Sysmon Event ID 1: schtasks.exe creating the task. Sysmon Event ID 14 (Registry Key/Value Deleted): TargetObject = HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\HiddenPersistTask\SD, Image = reg.exe. Security Event ID 4698: task created. After SD deletion, task is absent from schtasks /query but still active in TaskCache.
Test 5Remote Scheduled Task Creation for Lateral Movement
Expected signal: Sysmon Event ID 1: schtasks.exe with CommandLine containing '/s 127.0.0.1', '/ru SYSTEM', '/create'. Security Event ID 4698: Scheduled Task Created on target (local) system. Network connection attempt to localhost Task Scheduler RPC interface (port 135/dynamic RPC). Security Event ID 4648 (Logon with explicit credentials) if alternate credentials used.

Last updated: 2026-04-16 Research depth: deep

References (11)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1053.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Scheduled Task in IBM QRadar

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1053.005

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Execution

Popular Detections

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1053.005

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Execution

Popular Detections

Get new detections in your inbox