T1053 Microsoft Sentinel · KQL

Detect Scheduled Task/Job in Microsoft Sentinel

Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Adversaries use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to run processes under elevated account contexts (such as SYSTEM), and to potentially mask one-time execution under a trusted system process. Sub-techniques cover Windows Task Scheduler (T1053.005), the legacy AT command (T1053.002), Unix cron (T1053.003), macOS launchd (T1053.004), Linux systemd timers (T1053.006), and container orchestration jobs (T1053.007).

MITRE ATT&CK

Tactic
Execution Persistence Privilege Escalation
Technique
T1053 Scheduled Task/Job
Canonical reference
https://attack.mitre.org/techniques/T1053/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// T1053 — Scheduled Task/Job: Multi-branch Windows detection
// Branch 1: schtasks.exe / at.exe process creation with suspicious indicators
let SuspiciousTaskCreation = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("schtasks.exe", "at.exe")
| where ProcessCommandLine has_any ("/create", "/change", "-create", "-change")
| extend RunAsSystem = ProcessCommandLine has_any ("/ru SYSTEM", "/ru \"NT AUTHORITY\\SYSTEM\"")
| extend SuspiciousPath = ProcessCommandLine has_any (
    "%APPDATA%", "%TEMP%", "%PUBLIC%",
    "\\AppData\\Local\\Temp", "\\AppData\\Roaming\\",
    "C:\\Users\\Public\\", "C:\\ProgramData\\", "C:\\Windows\\Temp\\"
  )
| extend RemoteTask = ProcessCommandLine has "/s "
| extend ScriptExecution = ProcessCommandLine has_any (
    "powershell", "wscript", "cscript", "mshta",
    "regsvr32", "rundll32", "cmd /c", "cmd.exe /c", "certutil"
  )
| extend HiddenFlag = ProcessCommandLine has " /f"
| where RunAsSystem or SuspiciousPath or RemoteTask or ScriptExecution
| extend SuspicionScore = (toint(RunAsSystem) + toint(SuspiciousPath) + toint(RemoteTask) + toint(ScriptExecution))
| project
    Timestamp, DeviceName, AccountName,
    FileName, ProcessCommandLine,
    InitiatingProcessFileName, InitiatingProcessCommandLine,
    RunAsSystem, SuspiciousPath, RemoteTask, ScriptExecution, HiddenFlag, SuspicionScore,
    DetectionBranch = "schtasks_process_creation";
// Branch 2: Security Event 4698 — Scheduled Task Created (audit log)
let TaskAuditEvents = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4698
| extend TaskName = extract(@"<TaskName>(.*?)</TaskName>", 1, EventData)
| extend TaskAction = extract(@"<Command>(.*?)</Command>", 1, EventData)
| extend TaskArguments = extract(@"<Arguments>(.*?)</Arguments>", 1, EventData)
| extend TaskPrincipal = extract(@"<UserId>(.*?)</UserId>", 1, EventData)
| extend RunAsSystem = TaskPrincipal has_any ("SYSTEM", "S-1-5-18")
| extend SuspiciousAction = (TaskAction has_any (
    "powershell", "wscript", "cscript", "mshta", "regsvr32",
    "rundll32", "cmd.exe", "certutil"
  ) or TaskArguments has_any (
    "AppData", "\\Temp\\", "\\Public\\", "ProgramData", "http", "EncodedCommand", "-enc"
  ))
| where SuspiciousAction
| extend SuspicionScore = toint(SuspiciousAction) + toint(RunAsSystem)
| project
    TimeGenerated, Computer, Account,
    TaskName, TaskAction, TaskArguments, TaskPrincipal,
    RunAsSystem, SuspiciousAction, SuspicionScore,
    DetectionBranch = "security_event_4698";
// Union both branches and sort
union SuspiciousTaskCreation, TaskAuditEvents
| sort by coalesce(Timestamp, TimeGenerated) desc
high severity medium confidence

Multi-branch detection for T1053 Scheduled Task/Job abuse on Windows using Microsoft Defender for Endpoint and Windows Security event logs. Branch 1 monitors DeviceProcessEvents for schtasks.exe and at.exe invocations with suspicious parameters: SYSTEM execution context, writable/temporary directory paths, remote task creation (/s flag), and scripting engine invocations (PowerShell, wscript, mshta, regsvr32, rundll32). Branch 2 parses Security Event 4698 (task created) to extract task action and principal, alerting when the task action contains known scripting engines or suspicious path patterns in arguments. A SuspicionScore field aggregates multiple indicators to aid analyst triage and prioritization.

Data Sources

Process: Process CreationScheduled Job: Scheduled Job CreationCommand: Command ExecutionMicrosoft Defender for EndpointWindows Security Event Log

Required Tables

DeviceProcessEventsSecurityEvent

False Positives & Tuning

  • IT automation and configuration management tools (SCCM/CCMExec, Intune, Ansible WinRM) creating scheduled tasks for software deployment, patching, and policy enforcement — typically identifiable by ccmexec.exe or msiexec.exe as the initiating process
  • Monitoring and observability agents (Datadog, SolarWinds, Nagios, Elastic Agent) scheduling periodic data collection or health check tasks with actions in ProgramData or similar directories
  • Legitimate software products creating update or maintenance tasks at installation time (Adobe, Chrome, Java, antivirus products) — usually run from %APPDATA% or ProgramData with predictable task names and vendor-signed binaries
  • System administrators creating administrative maintenance scripts scheduled as SYSTEM for disk cleanup, log archival, certificate renewal, or backup operations
  • Development and CI/CD pipelines on build agents creating tasks as part of automated test execution or environment setup, often with PowerShell actions in Temp directories
Download portable Sigma rule (.yml)

Other platforms for T1053

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Scheduled Task Running as SYSTEM at Startup

    Expected signal: Sysmon Event ID 1: schtasks.exe with CommandLine containing '/create', '/ru SYSTEM', '/sc onstart', and '/f'. Security Event ID 4698 in Windows Security log with TaskName=\Microsoft\Windows\df00tech-test and TaskPrincipal referencing SYSTEM (S-1-5-18). TaskScheduler Operational Event ID 106 (task registered). Task XML created at C:\Windows\System32\Tasks\Microsoft\Windows\df00tech-test.

  2. Test 2Scheduled Task with PowerShell Encoded Command Payload

    Expected signal: Sysmon Event ID 1: powershell.exe executing Register-ScheduledTask via ScheduledTasks module. Security Event ID 4698 with TaskName=df00tech-encoded-test and Action Command=powershell.exe with '-EncodedCommand' in Arguments. TaskScheduler Operational Event ID 106. Task XML in C:\Windows\System32\Tasks\df00tech-encoded-test with Hidden=true and encoded argument visible in task XML.

  3. Test 3Remote Scheduled Task Creation via schtasks /s

    Expected signal: Sysmon Event ID 1: schtasks.exe with CommandLine containing '/s 127.0.0.1' and '/create'. Sysmon Event ID 3: outbound network connection to 127.0.0.1 on port 445 (SMB) or 135 (RPC/DCOM) for remote task registration. Security Event ID 4648 (logon with explicit credentials) if /u and /p are provided. Security Event ID 4698 on the target for the new task.

  4. Test 4Linux Crontab Persistence — Download and Execute Pattern

    Expected signal: Auditd: openat/write syscall to /var/spool/cron/crontabs/<username> or /tmp/crontab.XXXXXX (temp file used by crontab command). Process creation for 'crontab' binary with '-' as argument (reading from stdin). After 5 minutes: crond/cron spawns /bin/bash with the -c argument, creating /tmp/df00tech-cron-out.txt. Syslog shows cron job execution: 'CRON[PID]: (user) CMD (/bin/bash -c ...'.

  5. Test 5Scheduled Task via XML Import — Masquerading as Windows Component

    Expected signal: Sysmon Event ID 1: schtasks.exe with CommandLine containing '/xml' and task name under \Microsoft\Windows\WindowsDefender\. Sysmon Event ID 11: XML file creation in %TEMP%. Security Event ID 4698 with full task XML in EventData — shows Hidden=true, 5-minute repeating trigger, and cmd.exe action. TaskScheduler Operational Event 106. Task XML persisted at C:\Windows\System32\Tasks\Microsoft\Windows\WindowsDefender\df00tech-DefenderUpdate.

Last updated: 2026-04-16 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1053 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (5)

Related Techniques

T1053.002AtT1053.003CronT1053.004LaunchdT1053.005Scheduled TaskT1053.006Systemd TimersT1053.007Container Orchestration JobT1059.001PowerShellT1059.003Windows Command ShellT1078Valid AccountsT1218System Binary Proxy ExecutionT1021.002SMB/Windows Admin SharesT1547Boot or Logon Autostart Execution

Same Tactic: Execution

Popular Detections