title: Scheduled Task (T1053.005)
id: df00tech-t1053-005
status: experimental
description: "Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. Attackers use schtasks.exe, the Task Scheduler GUI, .NET wrappers, WMI (via Win32_ScheduledJob or PS_ScheduledTask), or direct registry manipulation to create, modify, or delete scheduled tasks. Tasks can run under any account context including SYSTEM, enabling privilege escalation. Adversaries also create hidden tasks by deleting the Security Descriptor (SD) registry value, making tasks invisible to standard enumeration tools."
references:
  - https://attack.mitre.org/techniques/T1053/005/
  - https://df00tech.com/detections/T1053.005
author: df00tech
date: 2026/04/16
tags:
  - attack.t1053.005
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Software installers and patch management tools (SCCM, Intune, PDQ Deploy) that create scheduled tasks as part of software deployment workflows"
  - "Legitimate IT automation and monitoring agents (SolarWinds, Nagios, Datadog, Ansible) that create or modify scheduled tasks for health checks and data collection"
  - "Antivirus and endpoint security products creating scheduled tasks for definition updates, scans, and health monitoring"
  - "Developer and DevOps toolchains (CI/CD agents, build servers) that schedule recurring jobs via schtasks"
  - System administrators manually creating maintenance tasks from elevated shells during change windows
level: high