Scheduled Task Persistence
What is Scheduled Task Persistence?
Scheduled Task PersistencePersistence and execution technique in which an attacker creates or modifies a Windows scheduled task to run their payload on a trigger such as logon, boot, or a timer.
Scheduled task persistence (MITRE ATT&CK T1053.005) abuses the Windows Task Scheduler. Attackers use schtasks.exe, the ITaskService COM interface, or direct XML drops to %SystemRoot%\System32\Tasks to register tasks that run at boot, on logon, when a user is idle, on a calendar schedule, or on events. Tasks running under SYSTEM, NETWORK SERVICE, or a privileged service account give both persistence and privilege. Modern variants hide tasks by deleting the SD value or by registering them with empty principals, requiring detection beyond the GUI. Defenses: monitor Security event 4698 (task created) and 4702 (task updated), Sysmon event 1 for spawning of schtasks.exe, baseline expected tasks, and restrict Create Task user rights.
● Examples
- 01
An hourly task named "GoogleUpdaterTaskUser" that runs an unsigned binary in %APPDATA%.
- 02
A task with a logon trigger configured to execute a PowerShell loader under SYSTEM.
● Frequently asked questions
What is Scheduled Task Persistence?
Persistence and execution technique in which an attacker creates or modifies a Windows scheduled task to run their payload on a trigger such as logon, boot, or a timer. It belongs to the Attacks & Threats category of cybersecurity.
What does Scheduled Task Persistence mean?
Persistence and execution technique in which an attacker creates or modifies a Windows scheduled task to run their payload on a trigger such as logon, boot, or a timer.
How does Scheduled Task Persistence work?
Scheduled task persistence (MITRE ATT&CK T1053.005) abuses the Windows Task Scheduler. Attackers use schtasks.exe, the ITaskService COM interface, or direct XML drops to %SystemRoot%\System32\Tasks to register tasks that run at boot, on logon, when a user is idle, on a calendar schedule, or on events. Tasks running under SYSTEM, NETWORK SERVICE, or a privileged service account give both persistence and privilege. Modern variants hide tasks by deleting the SD value or by registering them with empty principals, requiring detection beyond the GUI. Defenses: monitor Security event 4698 (task created) and 4702 (task updated), Sysmon event 1 for spawning of schtasks.exe, baseline expected tasks, and restrict Create Task user rights.
How do you defend against Scheduled Task Persistence?
Defences for Scheduled Task Persistence typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Scheduled Task Persistence?
Common alternative names include: Schtasks persistence, Task Scheduler abuse.
● Related terms
- attacks№ 1246
WMI Event Subscription Persistence
Persistence technique that registers a permanent WMI event filter and consumer so attacker code runs whenever a chosen system event occurs.
- attacks№ 914
Registry Run Key Persistence
Classic Windows persistence technique that adds an entry under a Run or RunOnce registry key so a binary or script executes every time a user logs on.
- attacks№ 200
COM Hijacking
A persistence technique that redirects a Windows Component Object Model CLSID lookup to attacker code, executing it whenever a host process instantiates that object.
- attacks№ 515
IFEO Injection
A persistence and privilege-escalation technique that abuses the Windows Image File Execution Options registry key to run attacker code whenever a target executable launches.
- attacks№ 238
Cron Persistence
Linux and Unix persistence technique that uses cron, anacron, or systemd timers to schedule attacker code so it re-executes at a chosen interval or system event.
- attacks№ 608
launchd Persistence
macOS persistence technique that installs a LaunchDaemon or LaunchAgent property list so launchd executes attacker code at boot, login, or on a trigger.