T1053 Defined ATT&CK T1053 ↗

Scheduled Task/Job

Process Create ScheduledJob — Create a scheduled job entry that causes attacker-controlled code to execute at a specified time or interval.

Ontological Definition

ActorProcess

→

ActionCreate

→

ArtifactScheduledJob

Detect

STP 5

New scheduled job creation (activity_id = Create) with an unexpected job.cmd is technique-defining regardless of scheduler type. A baseline of known-good jobs per system enables STP 5 detection across all EDEs.

Gate on

activity_id = Create

Baseline all scheduled jobs per system and per EDE. Alert on any Create activity producing a job.cmd not in the baseline, regardless of actor.process.file.path.

Mitigate

STP 3

Restricting scheduled job creation to privileged accounts reduces the attacker population that can use the technique but does not prevent it for an attacker who already holds sufficient privilege.

No STP 5 mitigation exists. Detection is the primary defensive lever.

Enforce least-privilege: only specific service accounts should be permitted to create scheduled jobs. Audit all existing scheduled jobs against a known-good baseline regularly.

Respond

Created

A new artifact was created and may persist beyond this session. Delete it immediately. Check for related persistence entries, scheduled tasks, and outbound callbacks originating from it.

Attacker foothold

Scheduling Processactor.process

Running Accountactor.user

Scheduled Jobjob

D3FEND response actions

d3f:ProcessTerminationd3f:AccountLockingd3f:FileEvictiond3f:NetworkIsolation

OCSF event model▼

Event class: Scheduled Job Activity (1006) · activity_id: Create

attacker-controlledpost-successvictimtainted

%%{init: {"theme": "dark", "themeVariables": {"edgeLabelBackground": "#18181b", "lineColor": "#52525b"}}}%%
graph TD
  classDef attacker fill:#7c2d12,stroke:#ea580c,color:#fed7aa
  classDef victim fill:#1e3a5f,stroke:#3b82f6,color:#bfdbfe
  classDef postSuccess fill:#78350f,stroke:#d97706,color:#fde68a
  classDef tainted fill:#18181b,stroke:#52525b,color:#a1a1aa

  EVENT(["Scheduled Job Activity\n· Create"])

  actor_process["Scheduling Process\nactor.process\nd3f:Process"]:::attacker
  actor_user["Running Account\nactor.user\nd3f:UserAccount"]:::attacker
  sched_job["Scheduled Job\njob\nd3f:ScheduledJob"]:::attacker
  device["Host\ndevice\nd3f:Host\n⚠ tainted"]:::tainted

  EVENT --> actor_process
  actor_process --> actor_user
  EVENT --> sched_job
  EVENT --> device

  actor_process -.->|"creates"| sched_job

Scheduling Process

actor.process·d3f:Process

attacker-controlled

actor.process.file.path attacker_controlled Tool used to create the job (schtasks.exe, crontab, etc.) — Execution Medium, attacker-chosen

Countermeasures

d3f:ProcessTermination

Running Account

actor.user·d3f:UserAccount

attacker-controlled

Countermeasures

d3f:AccountLocking

Scheduled Job

job·d3f:ScheduledJob

attacker-controlled

`job.cmd`	attacker_controlled	Command or payload to be executed — attacker-controlled artifact content
`job.name`	attacker_controlled	Identifier of the scheduled job — attacker-chosen
`job.schedule`	attacker_controlled	When the job executes — attacker-chosen persistence trigger

Countermeasures

d3f:FileEviction

Host

device·d3f:Host

tainted

Countermeasures

d3f:NetworkIsolation

Definitional Sigma rule▼

Broad by design — defines the technique, not an operational alert. Gate on variable or attacker-controlled field conditions to narrow for production use.

title: Scheduled Task/Job (T1053)
status: experimental
description: >
  Definitional rule — broad by design. Defines the technique independent of
  medium, tool, or attacker-controlled variables. Narrow with variable and
  attacker-controlled field conditions for operational use.
logsource:
  product: ocsf
  category: Scheduled Job Activity (1006)
detection:
  selection:
    activity_id: 'Create'
  condition: selection

title: Scheduled Task/Job (T1053) — native Sigma
status: experimental
description: >
  Generated from OCSF definitional rule. Broad by design — defines the technique,
  not an operational alert. Targets standard Windows/Sysmon telemetry.
logsource:
  product: windows
  service: security
detection:
  # Requires "Audit Other Object Access Events" policy. EventID 4698 = A scheduled task was created.
  selection:
    EventID: 4698
  condition: selection

Environment-dependent entities▼

Generate org-specific sub-techniques using T1053.<platform>

Windows Task Scheduler

Native Windows scheduled task facility

Task Scheduler (schtasks.exe)COM APIGroup Policy scheduled tasks

Unix Job Scheduler

Unix/Linux scheduled execution facilities

cronatsystemd timersanacron

Cloud Scheduler

Cloud-native scheduled execution services

AWS EventBridge SchedulerGCP Cloud SchedulerAzure Logic Apps (scheduled)GitHub Actions scheduled workflows

Container Orchestrator

Container-level scheduled workloads

Kubernetes CronJobNomad periodic jobs

Seen in the wild2reports▼

FSB's Matryoshka 2/3: GammaLoad ↗

Sekoia.io·2026-06-03

GammaLoad persists via a scheduled task that executes an AES-encrypted payload stored in an NTFS Alternate Data Stream at every logon — demonstrating cross-platform scheduler abuse.

The Gentlemen Ransomware: Defense Evasion TTPs ↗

Huntress·2026-05-12

After an initial encryptor run was blocked by Defender, affiliates pivoted to scheduled tasks as an alternative Execution Medium to re-trigger the ransomware payload.