Which SIEM platforms have a T1053 detection rule?

df00tech provides T1053 (Scheduled Task/Job) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Scheduled Task/Job (T1053)?

Detecting Scheduled Task/Job requires the following data sources: Process: Process Creation, Scheduled Job: Scheduled Job Creation, Command: Command Execution, Microsoft Defender for Endpoint, Windows Security Event Log.

What severity and confidence is the T1053 detection?

The T1053 detection is rated high severity with medium confidence.

What are common false positives for T1053?

Common false positives for T1053 include: IT automation and configuration management tools (SCCM/CCMExec, Intune, Ansible WinRM) creating scheduled tasks for software deployment, patching, and policy enforcement — typically identifiable by ccmexec.exe or msiexec.exe as the initiating process; Monitoring and observability agents (Datadog, SolarWinds, Nagios, Elastic Agent) scheduling periodic data collection or health check tasks with actions in ProgramData or similar directories; Legitimate software products creating update or maintenance tasks at installation time (Adobe, Chrome, Java, antivirus products) — usually run from %APPDATA% or ProgramData with predictable task names and vendor-signed binaries.

T1053 Sumo Logic CSE · Sumo

Detect Scheduled Task/Job in Sumo Logic CSE

Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Adversaries use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to run processes under elevated account contexts (such as SYSTEM), and to potentially mask one-time execution under a trusted system process. Sub-techniques cover Windows Task Scheduler (T1053.005), the legacy AT command (T1053.002), Unix cron (T1053.003), macOS launchd (T1053.004), Linux systemd timers (T1053.006), and container orchestration jobs (T1053.007).

MITRE ATT&CK

Tactic: Execution Persistence Privilege Escalation
Technique: T1053 Scheduled Task/Job
Canonical reference: https://attack.mitre.org/techniques/T1053/

Sumo Detection Query

Sumo Logic CSE (Sumo)

sql

(_sourceCategory="*windows*" OR _sourceCategory="*sysmon*" OR _sourceCategory="*winlogbeat*")
| where EventCode in ("1", "4698") OR EventID in ("1", "4698")
| if (isEmpty(CommandLine), Message, CommandLine) as RawText
| toLowerCase(RawText) as RawTextLower
| where
  (
    /* Branch 1: schtasks / at.exe process creation with at least one suspicious indicator */
    (
      (RawTextLower matches "*schtasks.exe*" OR RawTextLower matches "*\\at.exe*")
      AND (RawTextLower matches "*/create*" OR RawTextLower matches "*/change*")
      AND (
           RawTextLower matches "*/ru system*"
        OR RawTextLower matches "*appdata*"
        OR RawTextLower matches "*\\temp\\*"
        OR RawTextLower matches "*\\public\\*"
        OR RawTextLower matches "*programdata*"
        OR RawTextLower matches "*powershell*"
        OR RawTextLower matches "*wscript*"
        OR RawTextLower matches "*cscript*"
        OR RawTextLower matches "*mshta*"
        OR RawTextLower matches "*regsvr32*"
        OR RawTextLower matches "*rundll32*"
        OR RawTextLower matches "*certutil*"
        OR RawTextLower matches "*/s *"
        OR RawTextLower matches "*-encodedcommand*"
        OR RawTextLower matches "*frombase64string*"
      )
    )
    /* Branch 2: Event 4698 — Scheduled Task Created (all instances) */
    OR (EventCode = "4698" OR EventID = "4698")
  )
| if (RawTextLower matches "*/ru system*" OR RawTextLower matches "*nt authority*", 1, 0) as RunAsSystem
| if (RawTextLower matches "*appdata*" OR RawTextLower matches "*\\temp\\*" OR RawTextLower matches "*\\public\\*" OR RawTextLower matches "*programdata*" OR RawTextLower matches "*windows\\temp*", 1, 0) as SuspiciousPath
| if (RawTextLower matches "*/s *", 1, 0) as RemoteTask
| if (RawTextLower matches "*powershell*" OR RawTextLower matches "*wscript*" OR RawTextLower matches "*cscript*" OR RawTextLower matches "*mshta*" OR RawTextLower matches "*regsvr32*" OR RawTextLower matches "*rundll32*" OR RawTextLower matches "*certutil*", 1, 0) as ScriptExecution
| if (RawTextLower matches "*-encodedcommand*" OR RawTextLower matches "*frombase64string*", 1, 0) as EncodedPayload
| if (EventCode = "4698" OR EventID = "4698", 1, 0) as IsTaskCreatedEvent
| RunAsSystem + SuspiciousPath + RemoteTask + ScriptExecution + EncodedPayload + IsTaskCreatedEvent as SuspicionScore
| fields _time, host, User, EventCode, EventID, CommandLine, Image, ParentImage, ParentCommandLine, RunAsSystem, SuspiciousPath, RemoteTask, ScriptExecution, EncodedPayload, IsTaskCreatedEvent, SuspicionScore
| sort by _time desc

high severity high confidence

Sumo Logic detection for T1053 Scheduled Task/Job abuse. Ingests Sysmon Event 1 (Process Create) and Windows Security Event 4698 (Scheduled Task Created) from Windows or Sysmon source categories. Scores each event across six risk dimensions: SYSTEM context, suspicious staging paths, remote task targeting, script interpreter invocation, encoded command payload, and direct task creation audit event. Enriches each result with per-indicator boolean fields for rapid analyst triage.

Data Sources

Windows Security Event Log (_sourceCategory=*windows*)Microsoft-Windows-Sysmon/Operational (_sourceCategory=*sysmon*)Winlogbeat (_sourceCategory=*winlogbeat*)

Required Tables

_sourceCategory=*windows*, _sourceCategory=*sysmon*, _sourceCategory=*winlogbeat*

False Positives & Tuning

IT automation platforms (Chef, Puppet, Ansible) invoking schtasks.exe with PowerShell runners during node configuration runs — these may score high across multiple indicators simultaneously
Corporate endpoint management agents (Intune, Tanium) creating scheduled tasks pointing to ProgramData with SYSTEM privileges as part of normal software deployment pipelines
Security product self-healing and certificate validation tasks executing certutil.exe or cmd.exe under SYSTEM context for CRL checks or update enforcement

Download portable Sigma rule (.yml)

Other platforms for T1053

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Create Scheduled Task Running as SYSTEM at Startup
Expected signal: Sysmon Event ID 1: schtasks.exe with CommandLine containing '/create', '/ru SYSTEM', '/sc onstart', and '/f'. Security Event ID 4698 in Windows Security log with TaskName=\Microsoft\Windows\df00tech-test and TaskPrincipal referencing SYSTEM (S-1-5-18). TaskScheduler Operational Event ID 106 (task registered). Task XML created at C:\Windows\System32\Tasks\Microsoft\Windows\df00tech-test.
Test 2Scheduled Task with PowerShell Encoded Command Payload
Expected signal: Sysmon Event ID 1: powershell.exe executing Register-ScheduledTask via ScheduledTasks module. Security Event ID 4698 with TaskName=df00tech-encoded-test and Action Command=powershell.exe with '-EncodedCommand' in Arguments. TaskScheduler Operational Event ID 106. Task XML in C:\Windows\System32\Tasks\df00tech-encoded-test with Hidden=true and encoded argument visible in task XML.
Test 3Remote Scheduled Task Creation via schtasks /s
Expected signal: Sysmon Event ID 1: schtasks.exe with CommandLine containing '/s 127.0.0.1' and '/create'. Sysmon Event ID 3: outbound network connection to 127.0.0.1 on port 445 (SMB) or 135 (RPC/DCOM) for remote task registration. Security Event ID 4648 (logon with explicit credentials) if /u and /p are provided. Security Event ID 4698 on the target for the new task.
Test 4Linux Crontab Persistence — Download and Execute Pattern
Expected signal: Auditd: openat/write syscall to /var/spool/cron/crontabs/<username> or /tmp/crontab.XXXXXX (temp file used by crontab command). Process creation for 'crontab' binary with '-' as argument (reading from stdin). After 5 minutes: crond/cron spawns /bin/bash with the -c argument, creating /tmp/df00tech-cron-out.txt. Syslog shows cron job execution: 'CRON[PID]: (user) CMD (/bin/bash -c ...'.
Test 5Scheduled Task via XML Import — Masquerading as Windows Component
Expected signal: Sysmon Event ID 1: schtasks.exe with CommandLine containing '/xml' and task name under \Microsoft\Windows\WindowsDefender\. Sysmon Event ID 11: XML file creation in %TEMP%. Security Event ID 4698 with full task XML in EventData — shows Hidden=true, 5-minute repeating trigger, and cmd.exe action. TaskScheduler Operational Event 106. Task XML persisted at C:\Windows\System32\Tasks\Microsoft\Windows\WindowsDefender\df00tech-DefenderUpdate.

Last updated: 2026-04-16 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1053 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Scheduled Task/Job in Sumo Logic CSE

MITRE ATT&CK

Sumo Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1053

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (5)

Related Techniques

Same Tactic: Execution

Popular Detections

MITRE ATT&CK

Sumo Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1053

Testing Methodology

Unlock Pro Content

Related Detections

Sub-techniques (5)

Related Techniques

Same Tactic: Execution

Popular Detections

Get new detections in your inbox