Description
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and Windows Management Instrumentation (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet Invoke-CimMethod, which leverages WMI class PS_ScheduledTask to create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red Team)
An adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and/or to run a process under the context of a specified account (such as SYSTEM). Similar to System Binary Proxy Execution, adversaries have also abused the Windows Task Scheduler to potentially mask one-time execution under signed/trusted system processes.(Citation: ProofPoint Serpent)
Adversaries may also create "hidden" scheduled tasks (i.e. Hide Artifacts) that may not be visible to defender tools and manual queries used to enumerate tasks. Specifically, an adversary may hide a task from schtasks /query and the Task Scheduler by deleting the associated Security Descriptor (SD) registry value (where deletion of this value must be completed using SYSTEM permissions).(Citation: SigmaHQ)(Citation: Tarrask scheduled task) Adversaries may also employ alternate methods to hide tasks, such as altering the metadata (e.g., Index value) within associated registry keys.(Citation: Defending Against Scheduled Task Attacks in Windows Environments)
Platforms
Mitigations (4)
Privileged Account ManagementM1026
Configure the Increase Scheduling Priority option to only allow the Administrators group the rights to schedule a priority process. This can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Increase scheduling priority. (Citation: TechNet Scheduling Priority)
User Account ManagementM1018
Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems.
AuditM1047
Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges. (Citation: Powersploit)
Operating System ConfigurationM1028
Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM. The associated Registry key is located at HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SubmitControl. The setting can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > Security Opti
Threat Groups (54)
| ID | Group | Context |
|---|---|---|
| G0022 | APT3 | An [APT3](https://attack.mitre.org/groups/G0022) downloader creates persistence by creating the following scheduled task: <code>schtasks /create /tn "... |
| G0080 | Cobalt Group | [Cobalt Group](https://attack.mitre.org/groups/G0080) has created Windows tasks to establish persistence.(Citation: Group IB Cobalt Aug 2017) |
| G0091 | Silence | [Silence](https://attack.mitre.org/groups/G0091) has used scheduled tasks to stage its operation.(Citation: Cyber Forensicator Silence Jan 2019) |
| G0114 | Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has used scheduled tasks to invoke Cobalt Strike including through batch script <code>schtasks /creat... |
| G0040 | Patchwork | A [Patchwork](https://attack.mitre.org/groups/G0040) file stealer can run a TaskScheduler DLL to add persistence.(Citation: TrendMicro Patchwork Dec 2... |
| G1034 | Daggerfly | [Daggerfly](https://attack.mitre.org/groups/G1034) has attempted to use scheduled tasks for persistence in victim environments.(Citation: ESET Evasive... |
| G0046 | FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) malware has created scheduled tasks to establish persistence.(Citation: FireEye FIN7 April 2017)(Citatio... |
| G1018 | TA2541 | [TA2541](https://attack.mitre.org/groups/G1018) has used scheduled tasks to establish persistence for installed tools.(Citation: Proofpoint TA2541 Feb... |
| G0093 | GALLIUM | [GALLIUM](https://attack.mitre.org/groups/G0093) established persistence for [PoisonIvy](https://attack.mitre.org/software/S0012) by created a schedul... |
| G0034 | Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) leveraged SHARPIVORY, a .NET dropper that writes embedded payload to disk and uses scheduled ta... |
| G1043 | BlackByte | [BlackByte](https://attack.mitre.org/groups/G1043) created scheduled tasks for payload execution.(Citation: FBI BlackByte 2022)(Citation: Picus BlackB... |
| G1001 | HEXANE | [HEXANE](https://attack.mitre.org/groups/G1001) has used a scheduled task to establish persistence for a keylogger.(Citation: Kaspersky Lyceum October... |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has created a scheduled task to execute additional malicious software, as well as maintain pers... |
| G0059 | Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) has used scheduled tasks to establish persistence and execution.(Citation: DFIR Report APT35 Prox... |
| G1016 | FIN13 | [FIN13](https://attack.mitre.org/groups/G1016) has created scheduled tasks in the `C:\Windows` directory of the compromised network.(Citation: Mandian... |
| G1022 | ToddyCat | [ToddyCat](https://attack.mitre.org/groups/G1022) has used scheduled tasks to execute discovery commands and scripts for collection.(Citation: Kaspers... |
| G0108 | Blue Mockingbird | [Blue Mockingbird](https://attack.mitre.org/groups/G0108) has used Windows Scheduled Tasks to establish persistence on local and remote hosts.(Citatio... |
| G0021 | Molerats | [Molerats](https://attack.mitre.org/groups/G0021) has created scheduled tasks to persistently run VBScripts.(Citation: Unit42 Molerat Mar 2020) |
| G1053 | Storm-0501 | [Storm-0501](https://attack.mitre.org/groups/G1053) had used a scheduled task named “SysUpdate” that was registered via GPO on devices in the network ... |
| G0016 | APT29 | [APT29](https://attack.mitre.org/groups/G0016) has used named and hijacked scheduled tasks to establish persistence.(Citation: Mandiant No Easy Breach... |
Associated Software (124)
| ID | Name | Type | Context |
|---|---|---|---|
| S0588 | GoldMax | Malware | [GoldMax](https://attack.mitre.org/software/S0588) has used scheduled tasks to maintain persistence.(Citation: MSTIC NOBELIUM Mar 2021) |
| S9001 | SystemBC | Malware | [SystemBC](https://attack.mitre.org/software/S9001) has executed a copy of itself as a scheduled task with the `start` command. The copy of [SystemBC]... |
| S0648 | JSS Loader | Malware | [JSS Loader](https://attack.mitre.org/software/S0648) has the ability to launch scheduled tasks to establish persistence.(Citation: CrowdStrike Carbon... |
| S0414 | BabyShark | Malware | [BabyShark](https://attack.mitre.org/software/S0414) has used scheduled tasks to maintain persistence.(Citation: Crowdstrike GTR2020 Mar 2020) |
| S1014 | DanBot | Malware | [DanBot](https://attack.mitre.org/software/S1014) can use a scheduled task for installation.(Citation: SecureWorks August 2019) |
| S0170 | Helminth | Malware | [Helminth](https://attack.mitre.org/software/S0170) has used a scheduled task for persistence.(Citation: ClearSky OilRig Jan 2017) |
| S1015 | Milan | Malware | [Milan](https://attack.mitre.org/software/S1015) can establish persistence on a targeted host with scheduled tasks.(Citation: ClearSky Siamesekitten A... |
| S0697 | HermeticWiper | Malware | [HermeticWiper](https://attack.mitre.org/software/S0697) has the ability to use scheduled tasks for execution.(Citation: Symantec Ukraine Wipers Febru... |
| S1166 | Solar | Malware | [Solar](https://attack.mitre.org/software/S1166) can create scheduled tasks named Earth and Venus, which run every 30 and 40 seconds respectively, to ... |
| S0266 | TrickBot | Malware | [TrickBot](https://attack.mitre.org/software/S0266) creates a scheduled task on the system that provides persistence.(Citation: S2 Grupo TrickBot June... |
| S0335 | Carbon | Malware | [Carbon](https://attack.mitre.org/software/S0335) creates several tasks for later execution to continue persistence on the victim’s machine.(Citation:... |
| S0126 | ComRAT | Malware | [ComRAT](https://attack.mitre.org/software/S0126) has used a scheduled task to launch its PowerShell loader.(Citation: ESET ComRAT May 2020)(Citation:... |
| S0044 | JHUHUGIT | Malware | [JHUHUGIT](https://attack.mitre.org/software/S0044) has registered itself as a scheduled task to run each time the current user logs in.(Citation: ESE... |
| S9023 | HiddenFace | Malware | [HiddenFace](https://attack.mitre.org/software/S9023) has used scheduled tasks for execution and persistence.(Citation: ESET HiddenFace 2024)(Citation... |
| S1199 | LockBit 2.0 | Malware | [LockBit 2.0](https://attack.mitre.org/software/S1199) can be executed via scheduled task.(Citation: Palo Alto Lockbit 2.0 JUN 2022) |
| S0248 | yty | Malware | [yty](https://attack.mitre.org/software/S0248) establishes persistence by creating a scheduled task with the command <code>SchTasks /Create /SC DAILY ... |
| S0589 | Sibot | Malware | [Sibot](https://attack.mitre.org/software/S0589) has been executed via a scheduled task.(Citation: MSTIC NOBELIUM Mar 2021) |
| S0504 | Anchor | Malware | [Anchor](https://attack.mitre.org/software/S0504) can create a scheduled task for persistence.(Citation: Cyberreason Anchor December 2019) |
| S0632 | GrimAgent | Malware | [GrimAgent](https://attack.mitre.org/software/S0632) has the ability to set persistence using the Task Scheduler.(Citation: Group IB GrimAgent July 20... |
| S1064 | SVCReady | Malware | [SVCReady](https://attack.mitre.org/software/S1064) can create a scheduled task named `RecoveryExTask` to gain persistence.(Citation: HP SVCReady Jun ... |
References
- Campbell, B. et al. (2022, March 21). Serpent, No Swiping! New Backdoor Targets French Entities with Unique Attack Chain. Retrieved April 11, 2022.
- Harshal Tupsamudre. (2022, June 20). Defending Against Scheduled Tasks. Retrieved July 5, 2022.
- Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved September 12, 2024.
- Microsoft Threat Intelligence Team & Detection and Response Team . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion. Retrieved June 1, 2022.
- Microsoft. (2017, May 28). Audit Other Object Access Events. Retrieved June 27, 2019.
- Microsoft. (n.d.). General Task Registration. Retrieved December 12, 2017.
- Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled Task/Job: Scheduled Task. Retrieved June 19, 2024.
- Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.
- Satyajit321. (2015, November 3). Scheduled Tasks History Retention settings. Retrieved December 12, 2017.
- Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule Task - Registry. Retrieved June 1, 2022.
Frequently Asked Questions
What is T1053.005 (Scheduled Task)?
T1053.005 is a MITRE ATT&CK technique named 'Scheduled Task'. It belongs to the Execution, Persistence, Privilege Escalation tactic(s). Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The [...
How can T1053.005 be detected?
Detection of T1053.005 (Scheduled Task) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1053.005?
There are 4 documented mitigations for T1053.005. Key mitigations include: Privileged Account Management, User Account Management, Audit, Operating System Configuration.
Which threat groups use T1053.005?
Known threat groups using T1053.005 include: APT3, Cobalt Group, Silence, Chimera, Patchwork, Daggerfly, FIN7, TA2541.