T1053 Elastic Security · Elastic

Detect Scheduled Task/Job in Elastic Security

Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Adversaries use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to run processes under elevated account contexts (such as SYSTEM), and to potentially mask one-time execution under a trusted system process. Sub-techniques cover Windows Task Scheduler (T1053.005), the legacy AT command (T1053.002), Unix cron (T1053.003), macOS launchd (T1053.004), Linux systemd timers (T1053.006), and container orchestration jobs (T1053.007).

MITRE ATT&CK

Tactic
Execution Persistence Privilege Escalation
Technique
T1053 Scheduled Task/Job
Canonical reference
https://attack.mitre.org/techniques/T1053/

Elastic Detection Query

Elastic Security (Elastic)
eql 
/* Branch 1: schtasks.exe / at.exe process creation with suspicious indicators */
process where host.os.type == "windows" and
  event.type == "start" and
  process.name : ("schtasks.exe", "at.exe") and
  process.command_line : ("* /create *", "* /change *", "*-create *", "*-change *") and
  (
    process.command_line : ("*/ru SYSTEM*", "*/ru \"NT AUTHORITY*") or
    process.command_line : ("*AppData*", "*\\Temp\\*", "*\\Public\\*", "*ProgramData*", "*Windows\\Temp*") or
    process.command_line : ("*/s *") or
    process.command_line : ("*powershell*", "*wscript*", "*cscript*", "*mshta*", "*regsvr32*", "*rundll32*", "*certutil*") or
    process.command_line : ("*-EncodedCommand*", "*-enc *", "*-e *", "*FromBase64String*")
  )

/* Branch 2: Windows Security Event 4698 - Scheduled Task Created with suspicious content */
/* Deploy as a second rule targeting winlogbeat-* or logs-windows.security indices */
/*
any where host.os.type == "windows" and
  event.code == "4698" and
  (
    winlog.event_data.TaskContent : ("*powershell*", "*wscript*", "*cscript*", "*mshta*", "*regsvr32*", "*rundll32*", "*certutil*") or
    winlog.event_data.TaskContent : ("*AppData*", "*\\Temp\\*", "*\\Public\\*", "*ProgramData*") or
    winlog.event_data.TaskContent : ("*S-1-5-18*", "*\\SYSTEM*", "*EncodedCommand*", "*FromBase64String*")
  )
*/
high severity high confidence

Detects T1053 Scheduled Task/Job abuse via two branches: (1) suspicious schtasks.exe or at.exe process creation identified by SYSTEM context, suspicious staging paths, remote task targeting (/s flag), or script interpreter invocation; (2) Windows Security Event 4698 (Scheduled Task Created) with malicious command or path content in the task XML body. Uses ECS field model against Elastic Endpoint or Winlogbeat data streams.

Data Sources

Elastic Endpoint SecurityWinlogbeat (Windows Security Event Log)Elastic Agent (Windows integration)

Required Tables

logs-endpoint.events.process-*winlogbeat-*logs-windows.security-*

False Positives & Tuning

  • Legitimate IT management platforms (SCCM, Ansible, PDQ Deploy) that create scheduled tasks using PowerShell runners during software deployment workflows
  • Software installers (Adobe, antivirus vendors, backup agents such as Veeam) that schedule update or maintenance tasks pointing to AppData or ProgramData staging paths
  • Authorized sysadmin scripts invoking schtasks.exe /create /ru SYSTEM for service account maintenance tasks, and remote administration via /s targeting known servers
Download portable Sigma rule (.yml)

Other platforms for T1053

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Scheduled Task Running as SYSTEM at Startup

    Expected signal: Sysmon Event ID 1: schtasks.exe with CommandLine containing '/create', '/ru SYSTEM', '/sc onstart', and '/f'. Security Event ID 4698 in Windows Security log with TaskName=\Microsoft\Windows\df00tech-test and TaskPrincipal referencing SYSTEM (S-1-5-18). TaskScheduler Operational Event ID 106 (task registered). Task XML created at C:\Windows\System32\Tasks\Microsoft\Windows\df00tech-test.

  2. Test 2Scheduled Task with PowerShell Encoded Command Payload

    Expected signal: Sysmon Event ID 1: powershell.exe executing Register-ScheduledTask via ScheduledTasks module. Security Event ID 4698 with TaskName=df00tech-encoded-test and Action Command=powershell.exe with '-EncodedCommand' in Arguments. TaskScheduler Operational Event ID 106. Task XML in C:\Windows\System32\Tasks\df00tech-encoded-test with Hidden=true and encoded argument visible in task XML.

  3. Test 3Remote Scheduled Task Creation via schtasks /s

    Expected signal: Sysmon Event ID 1: schtasks.exe with CommandLine containing '/s 127.0.0.1' and '/create'. Sysmon Event ID 3: outbound network connection to 127.0.0.1 on port 445 (SMB) or 135 (RPC/DCOM) for remote task registration. Security Event ID 4648 (logon with explicit credentials) if /u and /p are provided. Security Event ID 4698 on the target for the new task.

  4. Test 4Linux Crontab Persistence — Download and Execute Pattern

    Expected signal: Auditd: openat/write syscall to /var/spool/cron/crontabs/<username> or /tmp/crontab.XXXXXX (temp file used by crontab command). Process creation for 'crontab' binary with '-' as argument (reading from stdin). After 5 minutes: crond/cron spawns /bin/bash with the -c argument, creating /tmp/df00tech-cron-out.txt. Syslog shows cron job execution: 'CRON[PID]: (user) CMD (/bin/bash -c ...'.

  5. Test 5Scheduled Task via XML Import — Masquerading as Windows Component

    Expected signal: Sysmon Event ID 1: schtasks.exe with CommandLine containing '/xml' and task name under \Microsoft\Windows\WindowsDefender\. Sysmon Event ID 11: XML file creation in %TEMP%. Security Event ID 4698 with full task XML in EventData — shows Hidden=true, 5-minute repeating trigger, and cmd.exe action. TaskScheduler Operational Event 106. Task XML persisted at C:\Windows\System32\Tasks\Microsoft\Windows\WindowsDefender\df00tech-DefenderUpdate.

Last updated: 2026-04-16 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1053 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (5)

Related Techniques

T1053.002AtT1053.003CronT1053.004LaunchdT1053.005Scheduled TaskT1053.006Systemd TimersT1053.007Container Orchestration JobT1059.001PowerShellT1059.003Windows Command ShellT1078Valid AccountsT1218System Binary Proxy ExecutionT1021.002SMB/Windows Admin SharesT1547Boot or Logon Autostart Execution

Same Tactic: Execution

Popular Detections