analyst @ nohacky :~/mitre $
cat / mitre / t1053
analyst@nohacky:~/mitre/t1053-scheduled-task-job.html
reading mode 17 min read
technique_id T1053
category MITRE ATT&CK
tactics
Execution Persistence Privilege Escalation
published March 2026

T1053: Scheduled Task/Job

Adversaries abuse task scheduling utilities built into every major operating system to execute malicious code on a defined schedule, at system startup, or in response to specific events. The task runs automatically, survives reboots, and can execute under privileged accounts the attacker does not directly control. It is one of the oldest persistence mechanisms in existence — and still among the most effective.

Every operating system provides a way to schedule work. Windows has Task Scheduler. Linux and macOS have cron. Modern Linux distributions add systemd timers. Container orchestration platforms like Kubernetes have CronJobs. These utilities exist so administrators can automate maintenance tasks, backups, and system health checks. Adversaries use the same mechanisms to ensure their payloads execute reliably — without requiring them to be present on the system and without needing the user to take any action.

T1053 spans three tactics in the ATT&CK matrix: Execution, Persistence, and Privilege Escalation. A single scheduled task can serve all three purposes simultaneously. It executes the payload (Execution), it survives reboots and user logoffs (Persistence), and if configured to run as SYSTEM or another privileged account, it elevates the attacker's privileges beyond what their initial access provided (Privilege Escalation). The technique appears consistently in threat intelligence reporting. Picus Security research has ranked Scheduled Task/Job among the ten most prevalent ATT&CK techniques observed across malware samples, and it features in the documented toolkits of ransomware operators, state-sponsored groups, and commodity malware alike.

How Scheduled Task Abuse Works

The basic pattern is straightforward. After gaining access to a system, the adversary creates a new scheduled task (or modifies an existing one) that points to their malicious payload. The payload might be a binary dropped to disk, a script stored in a temporary directory, or a command that downloads and executes a remote payload each time it runs. The task is configured with a trigger — a time interval, a system event like user logon, or a specific date — and optionally configured to run under a different user context.

On Windows, the primary tool is schtasks.exe, which can create, modify, query, and delete tasks from the command line. The older at.exe utility is still present on many systems. Tasks can also be created through the Task Scheduler COM API, through direct registry manipulation, or through PowerShell cmdlets like Register-ScheduledTask. Each method leaves a slightly different forensic footprint, and sophisticated attackers choose their method based on which is least likely to trigger detection in the target environment.

On Linux and macOS, adversaries write entries to crontab files, drop scripts into /etc/cron.d/, /etc/cron.daily/, or user-specific crontab locations. Systemd timers offer an alternative that integrates with the init system and provides more granular scheduling options. On macOS specifically, launchd manages both agents (user context) and daemons (system context) through property list (plist) files, giving attackers persistent execution at either privilege level.

What makes this technique particularly resilient is that scheduled tasks are expected to exist on every system. Administrators create them routinely. Security tools cannot simply alert on every task creation without generating overwhelming false positives. The attacker's task hides among legitimate ones — especially when they use names that mimic real Windows services or system processes.

Sub-Techniques

MITRE breaks T1053 into five sub-techniques, each targeting a different scheduling mechanism:

T1053.002 — At

The at command schedules one-time execution of a command at a specified time. On Windows, at.exe requires the Task Scheduler service to be running and the user to be a local administrator. On Linux and other Unix-like systems, the at utility provides similar one-time scheduling. While at is considered deprecated on modern Windows in favor of schtasks, it remains available on many systems and has been used by threat groups for lateral movement — creating tasks on remote systems via at \\target to execute payloads after moving laterally with compromised credentials.

T1053.003 — Cron

Cron is the standard job scheduler on Unix-like systems. Crontab entries define commands to run at specified intervals — every minute, every hour, daily, weekly, or on custom schedules. Adversaries add malicious entries to system-wide crontabs (/etc/crontab, files in /etc/cron.d/) or user crontabs (crontab -e) to maintain persistence. The Ngrok mining botnet, for example, used cron jobs to periodically re-download its cryptocurrency mining payload, ensuring persistence even if the binary was deleted. Cron entries are particularly effective because they execute silently in the background with no visible indication to the user.

T1053.005 — Scheduled Task

This sub-technique covers the Windows Task Scheduler, the primary scheduling mechanism on modern Windows systems. Tasks can be triggered by time, by event (such as user logon or system startup), or at specified intervals. They can run under any account context, including SYSTEM, and can be configured to run whether or not the user is logged in. Adversaries create tasks using schtasks /create, the Task Scheduler GUI, COM APIs, or by directly writing XML task definitions to C:\Windows\System32\Tasks\. Tasks can also be created on remote systems using schtasks /create /s \\target with appropriate credentials, enabling lateral movement.

warning

Adversaries can hide scheduled tasks by deleting the Security Descriptor (SD) registry value under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\[TaskName]. This makes the task invisible to schtasks /query and the Task Scheduler GUI while the task continues to execute on schedule. Microsoft documented this technique as used by the Hafnium group. Qualys researchers have identified additional hiding methods involving deletion or modification of the Index value in the same registry path.

T1053.006 — Systemd Timers

Systemd timers are the modern alternative to cron on Linux distributions that use systemd as their init system (which includes the majority of current enterprise distributions). Timers consist of two unit files: a .timer file that defines the schedule and a .service file that defines the command to execute. Timers support both calendar-based scheduling (like cron) and monotonic scheduling (e.g., "10 minutes after boot"). Adversaries create malicious timer units in /etc/systemd/system/ or user-level directories, then enable them with systemctl enable. Because systemd timers integrate with the init system, they start automatically on boot and are managed through the same tooling administrators use for legitimate services.

T1053.007 — Container Orchestration Job

In Kubernetes and similar container orchestration platforms, CronJob resources schedule containerized workloads on recurring schedules. An adversary with sufficient permissions to the Kubernetes API can create CronJobs that execute malicious containers — running cryptocurrency miners, exfiltrating secrets from the cluster, or maintaining a persistent foothold that survives pod restarts. Because CronJobs are a legitimate Kubernetes resource, they blend into normal cluster operations and may not be reviewed by security teams focused on traditional endpoint detection.

Real-World Case Studies

Hafnium — Hidden Scheduled Tasks in Exchange Server Attacks

In 2021, Microsoft documented how the Chinese state-sponsored group Hafnium used scheduled tasks as a persistence mechanism during its mass exploitation of Exchange Server vulnerabilities (ProxyLogon). After compromising Exchange servers, Hafnium created scheduled tasks to execute web shells and maintain access. Critically, the group deleted the Security Descriptor (SD) registry value associated with each task, rendering it invisible to standard enumeration tools including schtasks /query, the Task Scheduler MMC snap-in, and PowerShell's Get-ScheduledTask. The tasks continued to execute on schedule despite being completely hidden from the operating system's own management interfaces. This technique forced defenders to examine the task cache registry hive directly to identify persistence mechanisms that had survived initial remediation efforts.

APT28 (Fancy Bear) — HATVIBE Persistence via Scheduled Tasks

In ongoing campaigns throughout 2024 and into 2025, the Russia-aligned group APT28 deployed a custom loader called HATVIBE against government entities, human rights organizations, and educational institutions across Central Asia, East Asia, and Europe. HATVIBE, a VBScript-encoded HTML application, achieved persistence through scheduled tasks configured to execute via mshta.exe — a legitimate Windows utility for running HTML applications. The scheduled task ran HATVIBE at regular intervals, which then communicated with command-and-control servers and deployed CHERRYSPY, a Python-based backdoor used for encrypted data exfiltration. By chaining a scheduled task with a living-off-the-land binary (mshta.exe), APT28 created a persistence mechanism that generated minimal suspicious indicators on its own.

APT32 (OceanLotus) — Scheduled Tasks with Regsvr32 Bypass

The Vietnam-linked group APT32 embedded scheduled task creation commands directly within malicious VBA macros in weaponized Word documents. One documented payload created a task named "SystemSoundsServices" — designed to mimic the legitimate Windows System Sounds Service — that ran Regsvr32.exe every 30 minutes. Regsvr32 was used to bypass application whitelisting by executing a COM scriptlet downloaded dynamically from attacker infrastructure. The combination of a legitimate-sounding task name, a built-in Windows binary, and a recurring 30-minute schedule created a persistent, stealthy mechanism that continually re-established command-and-control access even if the initial payload was removed.

Ransomware Operations — Scheduled Execution of Encryption Payloads

Ransomware operators routinely use scheduled tasks to coordinate the deployment and execution of encryption payloads across compromised networks. Rather than executing ransomware immediately after gaining access, operators stage the payload on multiple systems and create scheduled tasks set to trigger simultaneously — often during off-hours when incident response capacity is lowest. The Akira ransomware group, active through 2024 and 2025, has been observed using scheduled tasks alongside other persistence mechanisms during intrusions targeting Windows and ESXi infrastructure. Groups associated with the Shadow, Twelve, and DARKSTAR operations have used similar patterns, creating identically-named Windows tasks across victim environments to synchronize encryption across the domain.

Detection Strategies

Detecting malicious scheduled tasks requires monitoring task creation events, identifying suspicious task properties, and auditing for hidden or tampered tasks that evade standard enumeration.

# Detect scheduled task creation via schtasks.exe
# Flag tasks created by non-standard parent processes

index=sysmon EventCode=1 Image="*\\schtasks.exe"
  CommandLine="*/create*"
| search NOT (ParentImage="*\\cmd.exe" AND User="NT AUTHORITY\\SYSTEM"
              AND CommandLine="*Microsoft\\Windows*")
| eval suspicious=if(
    match(CommandLine, "(?i)(powershell|cmd\.exe|mshta|regsvr32|wscript|cscript|certutil|bitsadmin|rundll32)"),
    "high", "medium")
| table _time, User, CommandLine, ParentImage, suspicious, ComputerName
# Detect hidden scheduled tasks via registry SD value deletion
# Hafnium technique: removing Security Descriptor to hide tasks

index=sysmon EventCode=12 OR EventCode=13
  TargetObject="*\\Schedule\\TaskCache\\Tree\\*"
| search (EventType="DeleteValue" AND TargetObject="*\\SD")
      OR (EventType="DeleteValue" AND TargetObject="*\\Index")
| table _time, EventType, TargetObject, Image, User, ComputerName
# Detect new cron job creation on Linux systems
# Monitor writes to crontab files and cron directories

index=linux_audit (type="PATH" AND (name="*/crontab"
    OR name="*/cron.d/*" OR name="*/cron.daily/*"
    OR name="*/cron.hourly/*"))
  OR (type="SYSCALL" AND exe="*/crontab" AND key="cron_changes")
| stats count by exe, name, auid, hostname
| where count > 0
# Detect remote scheduled task creation (lateral movement)
# schtasks with /s flag targeting another host

index=sysmon EventCode=1 Image="*\\schtasks.exe"
  CommandLine="*/create*" CommandLine="*/s *"
| rex field=CommandLine "\/s\s+(?\S+)"
| where target_host != ComputerName
| table _time, User, target_host, CommandLine, ComputerName
note

Windows Event ID 4698 (Security log) records scheduled task creation with full task XML content, including the action, trigger, and execution context. Enabling this audit policy provides high-fidelity detection data. On Linux, auditd rules targeting /var/spool/cron/, /etc/crontab, and /etc/cron.d/ capture cron modifications. For Kubernetes environments, audit logging for CronJob create and update events in the API server log is essential.

Known Threat Actors

T1053 is one of the most broadly adopted techniques in the ATT&CK framework, used by state-sponsored groups, cybercriminal organizations, and commodity malware operations. The following is a partial list:

  • Hafnium (China) — Used hidden scheduled tasks for persistence during the mass exploitation of Microsoft Exchange Server vulnerabilities
  • APT28 / Fancy Bear (Russia) — Deployed the HATVIBE loader via scheduled tasks executing mshta.exe against government and educational targets across multiple regions
  • APT41 (China) — Used scheduled tasks alongside DLL hijacking for persistent access in dual-purpose espionage and financial theft operations
  • APT32 / OceanLotus (Vietnam) — Embedded scheduled task creation in macro-enabled documents to establish recurring C2 callbacks via Regsvr32
  • Sandworm / APT44 (Russia) — The Kapeka backdoor uses scheduled tasks or registry autorun keys for persistence depending on the privilege level achieved, targeting Eastern European infrastructure
  • Kimsuky (North Korea) — The TODDLERSHARK malware sets up scheduled tasks for payload delivery and persistence in campaigns targeting Korean organizations
  • Stately Taurus / Mustang Panda (China) — Used scheduled tasks to run startup scripts maintaining access to compromised government systems in Southeast Asia
  • Akira Ransomware — Creates scheduled tasks to coordinate encryption payload deployment across victim networks during off-hours

Commodity malware families that heavily rely on T1053 include Qakbot, Lokibot, DarkGate, Emotet, Agent Tesla, and Remcos RAT.

Defensive Recommendations

critical

Standard task enumeration tools will not find hidden tasks. Incident response procedures must include direct examination of the registry task cache at HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ to identify tasks that have been deliberately concealed.

  1. Enable task creation auditing: Configure Windows Security audit policy to log Event ID 4698 (task created) and 4702 (task updated). These events include the full task XML definition, providing visibility into what the task executes, under what context, and on what schedule. On Linux, deploy auditd rules monitoring crontab files and cron directories.
  2. Restrict task creation to authorized accounts: Use Group Policy to limit who can create scheduled tasks. Configure the "Domain controller: Allow server operators to schedule tasks" policy appropriately. Restrict the "Increase scheduling priority" privilege to administrators only. On Linux, restrict crontab access using /etc/cron.allow and /etc/cron.deny.
  3. Prevent tasks from running as SYSTEM unnecessarily: Configure operating system policy to require authenticated accounts for scheduled task execution rather than allowing tasks to run as SYSTEM by default. This limits the privilege escalation potential of malicious tasks.
  4. Monitor for task hiding techniques: Create detections that alert on deletion or modification of the SD and Index values within the Task Scheduler registry cache. These modifications are the primary mechanism used by advanced threat actors to conceal tasks from standard enumeration.
  5. Audit existing tasks regularly: Maintain a baseline inventory of expected scheduled tasks across the environment. Use PowerSploit or similar toolkits to audit task permissions and identify overly permissive configurations. Compare current tasks against the baseline to identify unauthorized additions.
  6. Alert on suspicious task properties: Flag tasks that execute known living-off-the-land binaries (mshta.exe, regsvr32.exe, rundll32.exe, wscript.exe, certutil.exe, powershell.exe), tasks that download remote content, tasks with obfuscated command lines, and tasks with names that closely mimic legitimate Windows services.
  7. Restrict remote task creation: Monitor and restrict the use of schtasks /create /s across the network. Remote task creation is a lateral movement technique that should generate alerts in environments where it is not a standard administrative practice.
  8. Secure Kubernetes CronJobs: Apply RBAC policies that restrict CronJob creation to authorized service accounts. Enable Kubernetes audit logging for CronJob resources. Use admission controllers to validate that CronJob specifications conform to organizational policies and do not pull images from untrusted registries.

MITRE ATT&CK Mapping

Field Value
Technique IDT1053
Technique NameScheduled Task/Job
TacticsExecution, Persistence, Privilege Escalation
PlatformsWindows, Linux, macOS, Containers, ESXi
Sub-TechniquesT1053.002 At, T1053.003 Cron, T1053.005 Scheduled Task, T1053.006 Systemd Timers, T1053.007 Container Orchestration Job
Data SourcesCommand (Execution), File (Modification), Process (Creation), Scheduled Job (Creation), Container (Creation)
Version2.4 (Last Modified October 2025)
MITRE Referenceattack.mitre.org/techniques/T1053

Sources and References

  • MITRE ATT&CK — T1053 Scheduled Task/Job: attack.mitre.org
  • Qualys Research — Mitigating Scheduled Task Attacks in Windows Systems: blog.qualys.com
  • Microsoft — Detecting Hafnium Hidden Scheduled Tasks: microsoft.com
  • Picus Security — Scheduled Task/Job: The Most Used Persistence Technique: picussecurity.com
  • CYFIRMA — APT Quarterly Highlights Q4 2024 (APT28 HATVIBE): cyfirma.com
  • Kaspersky ICS CERT — APT and Financial Attacks on Industrial Organizations Q2 2025: ics-cert.kaspersky.com
— end of briefing