T1053.005 - Scheduled Task
Sub-technique
Tattiche:
Execution Persistence Privilege Escalation
Execution Persistence Privilege Escalation
Piattaforme:
Windows
Windows
Rilevamento:
Not specified
Not specified
Description:
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111) utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red Team)
An adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and/or to run a process under the context of a specified account (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218), adversaries have also abused the Windows Task Scheduler to potentially mask one-time execution under signed/trusted system processes.(Citation: ProofPoint Serpent)
Adversaries may also create "hidden" scheduled tasks (i.e. [Hide Artifacts](https://attack.mitre.org/techniques/T1564)) that may not be visible to defender tools and manual queries used to enumerate tasks. Specifically, an adversary may hide a task from `schtasks /query` and the Task Scheduler by deleting the associated Security Descriptor (SD) registry value (where deletion of this value must be completed using SYSTEM permissions).(Citation: SigmaHQ)(Citation: Tarrask scheduled task) Adversaries may also employ alternate methods to hide tasks, such as altering the metadata (e.g., `Index` value) within associated registry keys.(Citation: Defending Against Scheduled Task Attacks in Windows Environments)
An adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and/or to run a process under the context of a specified account (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218), adversaries have also abused the Windows Task Scheduler to potentially mask one-time execution under signed/trusted system processes.(Citation: ProofPoint Serpent)
Adversaries may also create "hidden" scheduled tasks (i.e. [Hide Artifacts](https://attack.mitre.org/techniques/T1564)) that may not be visible to defender tools and manual queries used to enumerate tasks. Specifically, an adversary may hide a task from `schtasks /query` and the Task Scheduler by deleting the associated Security Descriptor (SD) registry value (where deletion of this value must be completed using SYSTEM permissions).(Citation: SigmaHQ)(Citation: Tarrask scheduled task) Adversaries may also employ alternate methods to hide tasks, such as altering the metadata (e.g., `Index` value) within associated registry keys.(Citation: Defending Against Scheduled Task Attacks in Windows Environments)
Usato da Attori (20)
APT3
Nation-state
Nation-state
Naikon
Nation-state
Nation-state
APT33
Nation-state
Nation-state
APT29
Nation-state
Nation-state
FIN7
Criminal
Criminal
Lazarus Group
Nation-state
Nation-state
Stealth Falcon
Nation-state
Nation-state
FIN6
Unknown
Unknown
OilRig
Nation-state
Nation-state
Molerats
Nation-state
Nation-state
Gamaredon Group
Unknown
Unknown
APT32
Nation-state
Nation-state
FIN8
Unknown
Unknown
Kimsuky
Nation-state
Nation-state
MuddyWater
Nation-state
Nation-state
APT37
Nation-state
Nation-state
RANCOR
Nation-state
Nation-state
MUSTANG PANDA
Nation-state
Nation-state
WIZARD SPIDER
Nation-state
Nation-state
APT39
Unknown
Unknown
Malware (20)
TrickBot other
Bumblebee other
GRIFFON other
yty other
Stuxnet other
POWRUNER other
SharpStage other
Smoke Loader other
Matryoshka other
GravityRAT other
Prestige other
SharpDisco other
TONESHELL other
RainyDay other
NETWIRE other
Bad Rabbit other
CosmicDuke other
IMAPLoader other
Emotet other
Tomiris other
Metadata
| MITRE ID: | T1053.005 |
| STIX ID: | attack-pattern--005a06c6-14bf-... |
| Piattaforme: | Windows |
| Created: | 13/01/2026 17:48 |
| Updated: | 06/03/2026 16:00 |