Detect Scheduled Task/Job in Google Chronicle
Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Adversaries use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to run processes under elevated account contexts (such as SYSTEM), and to potentially mask one-time execution under a trusted system process. Sub-techniques cover Windows Task Scheduler (T1053.005), the legacy AT command (T1053.002), Unix cron (T1053.003), macOS launchd (T1053.004), Linux systemd timers (T1053.006), and container orchestration jobs (T1053.007).
MITRE ATT&CK
- Technique
- T1053 Scheduled Task/Job
- Canonical reference
- https://attack.mitre.org/techniques/T1053/
YARA-L Detection Query
rule t1053_scheduled_task_process_creation {
meta:
author = "Argus Detection Engineering"
description = "Detects suspicious schtasks.exe or at.exe process launches with SYSTEM context, suspicious paths, remote targeting, or script execution — indicative of T1053 Scheduled Task abuse"
mitre_attack_technique = "T1053"
mitre_attack_tactic = "Persistence, Privilege Escalation, Execution"
severity = "HIGH"
confidence = "HIGH"
version = "1.0"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
$e.target.process.file.full_path = /(?i)(\\schtasks\.exe$|\\at\.exe$)/
$e.target.process.command_line = /(?i)(\/create|\/change|-create|-change)/
(
$e.target.process.command_line = /(?i)(\/ru\s+system|nt\s+authority\\\\system)/ or
$e.target.process.command_line = /(?i)(appdata|\\temp\\|\\public\\|programdata|windows\\temp)/ or
$e.target.process.command_line = /(?i)(powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|certutil\.exe)/ or
$e.target.process.command_line = /\/s\s+[a-zA-Z0-9\-_.]+/ or
$e.target.process.command_line = /(?i)(-encodedcommand|-enc\s|-e\s|-ec\s|frombase64string)/
)
condition:
$e
}
rule t1053_scheduled_task_created_event_4698 {
meta:
author = "Argus Detection Engineering"
description = "Detects Windows Security Event 4698 (Scheduled Task Created) where the task action references script interpreters, suspicious paths, or encoded payloads — indicative of T1053 persistence"
mitre_attack_technique = "T1053"
mitre_attack_tactic = "Persistence, Privilege Escalation, Execution"
severity = "HIGH"
confidence = "HIGH"
version = "1.0"
events:
$e.metadata.event_type = "GENERIC_EVENT"
$e.metadata.product_event_type = "4698"
(
$e.target.resource.name = /(?i)(powershell|wscript|cscript|mshta|regsvr32|rundll32|certutil)/ or
$e.principal.user.userid = /(?i)(^system$|s-1-5-18)/ or
$e.target.resource.attribute.labels["task_action"] = /(?i)(appdata|\\temp\\|\\public\\|programdata|encodedcommand|frombase64string)/
)
condition:
$e
}Two Chronicle YARA-L 2.0 rules for T1053 Scheduled Task/Job detection. Rule 1 (t1053_scheduled_task_process_creation) matches PROCESS_LAUNCH events for schtasks.exe or at.exe with suspicious indicators across five dimensions. Rule 2 (t1053_scheduled_task_created_event_4698) matches GENERIC_EVENT type with product_event_type 4698 (Scheduled Task Created) where the task action contains script interpreter references, suspicious paths, or encoded payloads. Both rules target the UDM event model.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise software deployment via SCCM or Microsoft Intune registering scheduled PowerShell runner tasks under SYSTEM context during device provisioning and policy enforcement
- Third-party AV and EDR products scheduling integrity check or update tasks referencing certutil.exe or scripts in ProgramData as part of normal agent lifecycle management
- Developer workstations running build automation or local CI scripts (MSBuild, npm, Gradle post-install hooks) that create schtasks entries with cmd.exe runners pointing to TEMP staging paths
Other platforms for T1053
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Scheduled Task Running as SYSTEM at Startup
Expected signal: Sysmon Event ID 1: schtasks.exe with CommandLine containing '/create', '/ru SYSTEM', '/sc onstart', and '/f'. Security Event ID 4698 in Windows Security log with TaskName=\Microsoft\Windows\df00tech-test and TaskPrincipal referencing SYSTEM (S-1-5-18). TaskScheduler Operational Event ID 106 (task registered). Task XML created at C:\Windows\System32\Tasks\Microsoft\Windows\df00tech-test.
- Test 2Scheduled Task with PowerShell Encoded Command Payload
Expected signal: Sysmon Event ID 1: powershell.exe executing Register-ScheduledTask via ScheduledTasks module. Security Event ID 4698 with TaskName=df00tech-encoded-test and Action Command=powershell.exe with '-EncodedCommand' in Arguments. TaskScheduler Operational Event ID 106. Task XML in C:\Windows\System32\Tasks\df00tech-encoded-test with Hidden=true and encoded argument visible in task XML.
- Test 3Remote Scheduled Task Creation via schtasks /s
Expected signal: Sysmon Event ID 1: schtasks.exe with CommandLine containing '/s 127.0.0.1' and '/create'. Sysmon Event ID 3: outbound network connection to 127.0.0.1 on port 445 (SMB) or 135 (RPC/DCOM) for remote task registration. Security Event ID 4648 (logon with explicit credentials) if /u and /p are provided. Security Event ID 4698 on the target for the new task.
- Test 4Linux Crontab Persistence — Download and Execute Pattern
Expected signal: Auditd: openat/write syscall to /var/spool/cron/crontabs/<username> or /tmp/crontab.XXXXXX (temp file used by crontab command). Process creation for 'crontab' binary with '-' as argument (reading from stdin). After 5 minutes: crond/cron spawns /bin/bash with the -c argument, creating /tmp/df00tech-cron-out.txt. Syslog shows cron job execution: 'CRON[PID]: (user) CMD (/bin/bash -c ...'.
- Test 5Scheduled Task via XML Import — Masquerading as Windows Component
Expected signal: Sysmon Event ID 1: schtasks.exe with CommandLine containing '/xml' and task name under \Microsoft\Windows\WindowsDefender\. Sysmon Event ID 11: XML file creation in %TEMP%. Security Event ID 4698 with full task XML in EventData — shows Hidden=true, 5-minute repeating trigger, and cmd.exe action. TaskScheduler Operational Event 106. Task XML persisted at C:\Windows\System32\Tasks\Microsoft\Windows\WindowsDefender\df00tech-DefenderUpdate.
References (12)
- https://attack.mitre.org/techniques/T1053/
- https://docs.microsoft.com/en-us/windows/win32/taskschd/task-scheduler-start-page
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4698
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/taskscheduler
- https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
- https://research.nccgroup.com/2021/01/12/abusing-task-scheduler-for-persistence/
- https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://www.mandiant.com/resources/blog/apt41-us-state-governments
- https://technet.microsoft.com/en-us/library/cc785125.aspx
Unlock Pro Content
Get the full detection package for T1053 including response playbook, investigation guide, and atomic red team tests.