T1053: Scheduled Task/Job

Description

Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)

Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges). Similar to System Binary Proxy Execution, adversaries have also abused task scheduling to potentially mask one-time execution under a trusted system process.(Citation: ProofPoint Serpent)

Platforms

ContainersESXiLinuxmacOSNetwork DevicesWindows

Sub-Techniques (5)

T1053.002

Container Orchestration Job

Mitigations (5)

User Account ManagementM1018

Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems.

Operating System ConfigurationM1028

Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM. The associated Registry key is located at HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SubmitControl. The setting can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies >

Restrict File and Directory PermissionsM1022

Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.

Privileged Account ManagementM1026

Configure the Increase Scheduling Priority option to only allow the Administrators group the rights to schedule a priority process. This can be can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Increase scheduling priority. (Citation: TechNet Scheduling Priority)

AuditM1047

Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges. (Citation: Powersploit)

Associated Software (1)

ID	Name	Type	Context
S0447	Lokibot	Malware	[Lokibot](https://attack.mitre.org/software/S0447)'s second stage DLL has set a timer using “timeSetEvent” to schedule its next execution.(Citation: T...

References

Frequently Asked Questions

What is T1053 (Scheduled Task/Job)?

T1053 is a MITRE ATT&CK technique named 'Scheduled Task/Job'. It belongs to the Execution, Persistence, Privilege Escalation tactic(s). Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts t...

How can T1053 be detected?

Detection of T1053 (Scheduled Task/Job) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.

What mitigations exist for T1053?

There are 5 documented mitigations for T1053. Key mitigations include: User Account Management, Operating System Configuration, Restrict File and Directory Permissions, Privileged Account Management, Audit.

Which threat groups use T1053?

While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.