T1053 IBM QRadar · QRadar

Detect Scheduled Task/Job in IBM QRadar

Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Adversaries use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to run processes under elevated account contexts (such as SYSTEM), and to potentially mask one-time execution under a trusted system process. Sub-techniques cover Windows Task Scheduler (T1053.005), the legacy AT command (T1053.002), Unix cron (T1053.003), macOS launchd (T1053.004), Linux systemd timers (T1053.006), and container orchestration jobs (T1053.007).

MITRE ATT&CK

Tactic
Execution Persistence Privilege Escalation
Technique
T1053 Scheduled Task/Job
Canonical reference
https://attack.mitre.org/techniques/T1053/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  LOGSOURCENAME(logsourceid) AS log_source,
  sourceip AS source_ip,
  username,
  QIDNAME(qid) AS event_name,
  CATEGORYNAME(category) AS category_name,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process_name
FROM events
WHERE
  LOGSOURCETYPEID(devicetype) IN (
    12,   /* Microsoft Windows Security Event Log */
    145   /* Microsoft Windows Sysmon */
  )
  AND starttime > (CURRENT_TIMESTAMP - 86400000)
  AND (
    /* Branch 1: schtasks.exe or at.exe process creation with suspicious indicators */
    (
      (
        LOWER("Process Name") LIKE '%schtasks.exe%'
        OR LOWER("Process Name") LIKE '%at.exe%'
      )
      AND (
        LOWER("Command") LIKE '%/create%'
        OR LOWER("Command") LIKE '%/change%'
      )
      AND (
        LOWER("Command") LIKE '%/ru system%'
        OR LOWER("Command") LIKE '%nt authority%'
        OR LOWER("Command") LIKE '%appdata%'
        OR LOWER("Command") LIKE '%\\temp\\%'
        OR LOWER("Command") LIKE '%\\public\\%'
        OR LOWER("Command") LIKE '%programdata%'
        OR LOWER("Command") LIKE '%windows\\temp%'
        OR LOWER("Command") LIKE '%powershell%'
        OR LOWER("Command") LIKE '%wscript%'
        OR LOWER("Command") LIKE '%cscript%'
        OR LOWER("Command") LIKE '%mshta%'
        OR LOWER("Command") LIKE '%regsvr32%'
        OR LOWER("Command") LIKE '%rundll32%'
        OR LOWER("Command") LIKE '%certutil%'
        OR LOWER("Command") LIKE '%/s %'
        OR LOWER("Command") LIKE '%-encodedcommand%'
        OR LOWER("Command") LIKE '%-enc %'
        OR LOWER("Command") LIKE '%frombase64string%'
      )
    )
    /* Branch 2: Windows Security Event 4698 — Scheduled Task Created */
    OR (
      LOWER(QIDNAME(qid)) LIKE '%4698%'
      OR LOWER(QIDNAME(qid)) LIKE '%scheduled task was created%'
    )
  )
ORDER BY starttime DESC
high severity medium confidence

QRadar AQL detection for T1053 Scheduled Task/Job abuse targeting Windows Security Event Log and Sysmon log sources. Identifies suspicious schtasks.exe or at.exe invocations with SYSTEM context, suspicious file paths, remote task creation, or script interpreter chains, and also surfaces Windows Event ID 4698 (Scheduled Task Created) audit events. Covers both process telemetry and audit log detection branches.

Data Sources

Windows Security Event Log (LOGSOURCETYPEID 12)Microsoft Windows Sysmon (LOGSOURCETYPEID 145)

Required Tables

events

False Positives & Tuning

  • Enterprise patch management solutions (WSUS, SCCM, Tanium) invoking schtasks.exe with PowerShell-based runner commands during OS update and compliance workflows
  • Backup products (Veeam Backup, Windows Server Backup) registering scheduled tasks under SYSTEM in ProgramData paths as part of normal installation and job scheduling
  • Monitoring agents and endpoint security tools scheduling self-update or telemetry collection tasks via schtasks during agent installation or policy refresh cycles
Download portable Sigma rule (.yml)

Other platforms for T1053

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Scheduled Task Running as SYSTEM at Startup

    Expected signal: Sysmon Event ID 1: schtasks.exe with CommandLine containing '/create', '/ru SYSTEM', '/sc onstart', and '/f'. Security Event ID 4698 in Windows Security log with TaskName=\Microsoft\Windows\df00tech-test and TaskPrincipal referencing SYSTEM (S-1-5-18). TaskScheduler Operational Event ID 106 (task registered). Task XML created at C:\Windows\System32\Tasks\Microsoft\Windows\df00tech-test.

  2. Test 2Scheduled Task with PowerShell Encoded Command Payload

    Expected signal: Sysmon Event ID 1: powershell.exe executing Register-ScheduledTask via ScheduledTasks module. Security Event ID 4698 with TaskName=df00tech-encoded-test and Action Command=powershell.exe with '-EncodedCommand' in Arguments. TaskScheduler Operational Event ID 106. Task XML in C:\Windows\System32\Tasks\df00tech-encoded-test with Hidden=true and encoded argument visible in task XML.

  3. Test 3Remote Scheduled Task Creation via schtasks /s

    Expected signal: Sysmon Event ID 1: schtasks.exe with CommandLine containing '/s 127.0.0.1' and '/create'. Sysmon Event ID 3: outbound network connection to 127.0.0.1 on port 445 (SMB) or 135 (RPC/DCOM) for remote task registration. Security Event ID 4648 (logon with explicit credentials) if /u and /p are provided. Security Event ID 4698 on the target for the new task.

  4. Test 4Linux Crontab Persistence — Download and Execute Pattern

    Expected signal: Auditd: openat/write syscall to /var/spool/cron/crontabs/<username> or /tmp/crontab.XXXXXX (temp file used by crontab command). Process creation for 'crontab' binary with '-' as argument (reading from stdin). After 5 minutes: crond/cron spawns /bin/bash with the -c argument, creating /tmp/df00tech-cron-out.txt. Syslog shows cron job execution: 'CRON[PID]: (user) CMD (/bin/bash -c ...'.

  5. Test 5Scheduled Task via XML Import — Masquerading as Windows Component

    Expected signal: Sysmon Event ID 1: schtasks.exe with CommandLine containing '/xml' and task name under \Microsoft\Windows\WindowsDefender\. Sysmon Event ID 11: XML file creation in %TEMP%. Security Event ID 4698 with full task XML in EventData — shows Hidden=true, 5-minute repeating trigger, and cmd.exe action. TaskScheduler Operational Event 106. Task XML persisted at C:\Windows\System32\Tasks\Microsoft\Windows\WindowsDefender\df00tech-DefenderUpdate.

Last updated: 2026-04-16 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1053 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (5)

Related Techniques

T1053.002AtT1053.003CronT1053.004LaunchdT1053.005Scheduled TaskT1053.006Systemd TimersT1053.007Container Orchestration JobT1059.001PowerShellT1059.003Windows Command ShellT1078Valid AccountsT1218System Binary Proxy ExecutionT1021.002SMB/Windows Admin SharesT1547Boot or Logon Autostart Execution

Same Tactic: Execution

Popular Detections