MITRE ATT&CK Technique
Description
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111) utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red Team) An adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and/or to run a process under the context of a specified account (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218), adversaries have also abused the Windows Task Scheduler to potentially mask one-time execution under signed/trusted system processes.(Citation: ProofPoint Serpent) Adversaries may also create "hidden" scheduled tasks (i.e. [Hide Artifacts](https://attack.mitre.org/techniques/T1564)) that may not be visible to defender tools and manual queries used to enumerate tasks. Specifically, an adversary may hide a task from `schtasks /query` and the Task Scheduler by deleting the associated Security Descriptor (SD) registry value (where deletion of this value must be completed using SYSTEM permissions).(Citation: SigmaHQ)(Citation: Tarrask scheduled task) Adversaries may also employ alternate methods to hide tasks, such as altering the metadata (e.g., `Index` value) within associated registry keys.(Citation: Defending Against Scheduled Task Attacks in Windows Environments)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2019-11-27T14:58:00.429Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may abuse the Windows Task Scheduler to perform '
'task scheduling for initial or recurring execution of '
'malicious code. There are multiple ways to access the Task '
'Scheduler in Windows. The '
'[schtasks](https://attack.mitre.org/software/S0111) utility '
'can be run directly on the command line, or the Task '
'Scheduler can be opened through the GUI within the '
'Administrator Tools section of the Control Panel.(Citation: '
'Stack Overflow) In some cases, adversaries have used a .NET '
'wrapper for the Windows Task Scheduler, and alternatively, '
'adversaries have used the Windows netapi32 library and '
'[Windows Management '
'Instrumentation](https://attack.mitre.org/techniques/T1047) '
'(WMI) to create a scheduled task. Adversaries may also '
'utilize the Powershell Cmdlet `Invoke-CimMethod`, which '
'leverages WMI class `PS_ScheduledTask` to create a scheduled '
'task via an XML path.(Citation: Red Canary - Atomic Red '
'Team)\n'
'\n'
'An adversary may use Windows Task Scheduler to execute '
'programs at system startup or on a scheduled basis for '
'persistence. The Windows Task Scheduler can also be abused to '
'conduct remote Execution as part of Lateral Movement and/or '
'to run a process under the context of a specified account '
'(such as SYSTEM). Similar to [System Binary Proxy '
'Execution](https://attack.mitre.org/techniques/T1218), '
'adversaries have also abused the Windows Task Scheduler to '
'potentially mask one-time execution under signed/trusted '
'system processes.(Citation: ProofPoint Serpent)\n'
'\n'
'Adversaries may also create "hidden" scheduled tasks (i.e. '
'[Hide Artifacts](https://attack.mitre.org/techniques/T1564)) '
'that may not be visible to defender tools and manual queries '
'used to enumerate tasks. Specifically, an adversary may hide '
'a task from `schtasks /query` and the Task Scheduler by '
'deleting the associated Security Descriptor (SD) registry '
'value (where deletion of this value must be completed using '
'SYSTEM permissions).(Citation: SigmaHQ)(Citation: Tarrask '
'scheduled task) Adversaries may also employ alternate methods '
'to hide tasks, such as altering the metadata (e.g., `Index` '
'value) within associated registry keys.(Citation: Defending '
'Against Scheduled Task Attacks in Windows Environments) ',
'external_references': [{'external_id': 'T1053.005',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1053/005'},
{'description': 'Campbell, B. et al. (2022, March '
'21). Serpent, No Swiping! New '
'Backdoor Targets French Entities '
'with Unique Attack Chain. Retrieved '
'April 11, 2022.',
'source_name': 'ProofPoint Serpent',
'url': 'https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain'},
{'description': 'Harshal Tupsamudre. (2022, June 20). '
'Defending Against Scheduled Tasks. '
'Retrieved July 5, 2022.',
'source_name': 'Defending Against Scheduled Task '
'Attacks in Windows Environments',
'url': 'https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments'},
{'description': 'Loobeek, L. (2017, December 8). '
'leoloobeek Status. Retrieved '
'September 12, 2024.',
'source_name': 'Twitter Leoloobeek Scheduled Task',
'url': 'https://x.com/leoloobeek/status/939248813465853953'},
{'description': 'Microsoft Threat Intelligence Team & '
'Detection and Response Team . (2022, '
'April 12). Tarrask malware uses '
'scheduled tasks for defense evasion. '
'Retrieved June 1, 2022.',
'source_name': 'Tarrask scheduled task',
'url': 'https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/'},
{'description': 'Microsoft. (2017, May 28). Audit '
'Other Object Access Events. '
'Retrieved June 27, 2019.',
'source_name': 'Microsoft Scheduled Task Events '
'Win10',
'url': 'https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events'},
{'description': 'Microsoft. (n.d.). General Task '
'Registration. Retrieved December 12, '
'2017.',
'source_name': 'TechNet Scheduled Task Events',
'url': 'https://technet.microsoft.com/library/dd315590.aspx'},
{'description': 'Red Canary - Atomic Red Team. '
'(n.d.). T1053.005 - Scheduled '
'Task/Job: Scheduled Task. Retrieved '
'June 19, 2024.',
'source_name': 'Red Canary - Atomic Red Team',
'url': 'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md'},
{'description': 'Russinovich, M. (2016, January 4). '
'Autoruns for Windows v13.51. '
'Retrieved June 6, 2016.',
'source_name': 'TechNet Autoruns',
'url': 'https://technet.microsoft.com/en-us/sysinternals/bb963902'},
{'description': 'Satyajit321. (2015, November 3). '
'Scheduled Tasks History Retention '
'settings. Retrieved December 12, '
'2017.',
'source_name': 'TechNet Forum Scheduled Task '
'Operational Setting',
'url': 'https://social.technet.microsoft.com/Forums/en-US/e5bca729-52e7-4fcb-ba12-3225c564674c/scheduled-tasks-history-retention-settings?forum=winserver8gen'},
{'description': 'Sittikorn S. (2022, April 15). '
'Removal Of SD Value to Hide Schedule '
'Task - Registry. Retrieved June 1, '
'2022.',
'source_name': 'SigmaHQ',
'url': 'https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml'},
{'description': 'Stack Overflow. (n.d.). How to find '
'the location of the Scheduled Tasks '
'folder. Retrieved June 19, 2024.',
'source_name': 'Stack Overflow',
'url': 'https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder'}],
'id': 'attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'execution'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'privilege-escalation'}],
'modified': '2025-10-24T17:48:19.176Z',
'name': 'Scheduled Task',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.3.0',
'x_mitre_contributors': ['Andrew Northern, @ex_raritas',
'Bryan Campbell, @bry_campbell',
'Selena Larson, @selenalarson',
'Sittikorn Sangrattanapitak',
'Zachary Abzug, @ZackDoesML'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_remote_support': False,
'x_mitre_version': '1.8'}