title: Scheduled Task/Job (T1053)
id: df00tech-t1053
status: experimental
description: "Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Adversaries use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to run processes under elevated account contexts (such as SYSTEM), and to potentially mask one-time execution under a trusted system process. Sub-techniques cover Windows Task Scheduler (T1053.005), the legacy AT command (T1053.002), Unix cron (T1053.003), macOS launchd (T1053.004), Linux systemd timers (T1053.006), and container orchestration jobs (T1053.007)."
references:
  - https://attack.mitre.org/techniques/T1053/
  - https://df00tech.com/detections/T1053
author: df00tech
date: 2026/04/16
tags:
  - attack.t1053
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "IT automation and configuration management tools (SCCM/CCMExec, Intune, Ansible WinRM) creating scheduled tasks for software deployment, patching, and policy enforcement — typically identifiable by ccmexec.exe or msiexec.exe as the initiating process"
  - "Monitoring and observability agents (Datadog, SolarWinds, Nagios, Elastic Agent) scheduling periodic data collection or health check tasks with actions in ProgramData or similar directories"
  - "Legitimate software products creating update or maintenance tasks at installation time (Adobe, Chrome, Java, antivirus products) — usually run from %APPDATA% or ProgramData with predictable task names and vendor-signed binaries"
  - "System administrators creating administrative maintenance scripts scheduled as SYSTEM for disk cleanup, log archival, certificate renewal, or backup operations"
  - "Development and CI/CD pipelines on build agents creating tasks as part of automated test execution or environment setup, often with PowerShell actions in Temp directories"
level: high