MITRE ATT&CK detection coverage

← Back to main site

Home/ MITRE Matrix/ Execution/ T1053.005

T1053.005Scheduled Task

T1053.005 — Scheduled Task is a MITRE ATT&CK technique in the Execution tactic. Clankerusecase tracks 53 detection use cases covering it and 21 threat-intel articles citing it.

ExecutionPersistencePrivilege Escalation

View on the matrix → Filter Detection Library MITRE official spec ↗

53Use cases

21Articles

0Sub-techniques

3Tactics

↑ Parent technique: T1053 · Scheduled Task/Job

Use cases covering this technique (53)

Scheduled task created with suspicious image / encoded args Internal install · hunting DSΣP Possible Lateral Movement PowerShell Spawn ESCU actions · hunting P Randomly Generated Scheduled Task Name ESCU actions · hunting P Scheduled Task Deleted Or Created via CMD ESCU actions · hunting P Scheduled Task Initiation on Remote Endpoint ESCU actions · alerting P Schtasks scheduling job on remote system ESCU actions · alerting P Schtasks used for forcing a reboot ESCU actions · alerting P Short Lived Scheduled Task ESCU actions · alerting P Suspicious Scheduled Task from Public Directory ESCU actions · hunting P Svchost LOLBAS Execution Process Spawn ESCU actions · alerting P Windows Compatibility Telemetry Suspicious Child Process ESCU actions · alerting P Windows Compatibility Telemetry Tampering Through Registry ESCU actions · alerting P Windows Enable Win32 ScheduledJob via Registry ESCU actions · hunting P Windows PowerShell ScheduleTask ESCU actions · hunting P Windows Registry Delete Task SD ESCU actions · hunting P Windows Scheduled Task Created in a Group Policy Object ESCU actions · alerting P Windows Scheduled Task Created Via XML ESCU actions · hunting P Windows Scheduled Task Service Spawned Shell ESCU actions · alerting P Windows Scheduled Task with Highest Privileges ESCU actions · alerting P Windows Scheduled Task with Suspicious Command ESCU actions · alerting P Windows Scheduled Task with Suspicious Name ESCU actions · alerting P Windows Schtasks Create Run As System ESCU actions · alerting P WinEvent Scheduled Task Created to Spawn Shell ESCU actions · alerting P WinEvent Scheduled Task Created Within Public Path ESCU actions · alerting P WinEvent Windows Task Scheduler Event Action Started ESCU actions · hunting P Scheduled tasks used in BadRabbit ransomware ESCU actions · alerting P [LLM] Shai-Hulud npm worm — shai-hulud-workflow.yml dropped into .github/workflows/ Bespoke install · alerting DSΣPDDCS Article-specific behavioural hunt — Argamal: Malware hidden in hentai games Bespoke exploit · hunting DSP [LLM] Argamal Scheduled Task Pointing at AppData\Local DLL via Color System Calibration Loader Bespoke install · alerting DSΣPDDCS Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-46716: Nezha Monitoring: RoleMember can run shell on Bespoke install · hunting DSP Article-specific behavioural hunt — Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns Bespoke exploit · hunting DSP Article-specific behavioural hunt — Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a Bespoke exploit · hunting DSP Article-specific behavioural hunt — Tracking TamperedChef Clusters via Certificate and Code Reuse Bespoke exploit · hunting DSP [LLM] TamperedChef scheduled-task persistence via task.xml + obfuscated JS (appsuite-print.js) Bespoke install · alerting DSPDDCS Article-specific behavioural hunt — Webworm: New burrowing techniques Bespoke exploit · hunting DSP Article-specific behavioural hunt — Kimsuky targets organizations with PebbleDash-based tools Bespoke exploit · hunting DSP Article-specific behavioural hunt — Kimsuky targets organizations with PebbleDash-based tools Bespoke exploit · hunting DSP Article-specific behavioural hunt — FrostyNeighbor: Fresh mischief and digital shenanigans Bespoke exploit · hunting DSP [LLM] PicassoLoader scheduled-task creation by wscript/cscript after C2 XML fetch Bespoke install · alerting DSΣPDDCS Article-specific behavioural hunt — GlassWorm Hides a RAT Inside a Malicious Chrome Extension Bespoke exploit · hunting DSP Article-specific behavioural hunt — Glassworm Strikes Popular React Native Phone Number Packages Bespoke exploit · hunting DSP [LLM] Glassworm stage-3 persistence: schtasks UpdateApp + HKCU Run DPKCbbQ Bespoke install · alerting DSΣPDD Article-specific behavioural hunt — Operation MacroMaze: new APT28 campaign using basic tooling and legit infrastru Bespoke exploit · hunting DSP Article-specific behavioural hunt — Operation MacroMaze: new APT28 campaign using basic tooling and legit infrastru Bespoke exploit · hunting DSP [LLM] APT28 MacroMaze: schtasks creating wscript-launched persistence with 20/30/61-minute repeat Bespoke install · alerting DSΣP Article-specific behavioural hunt — DynoWiper update: Technical analysis and attribution Bespoke exploit · hunting DSP Article-specific behavioural hunt — Fake Clawdbot VS Code Extension Installs ScreenConnect RAT Bespoke exploit · hunting DSP Article-specific behavioural hunt — LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Ja Bespoke exploit · hunting DSP Article-specific behavioural hunt — LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Ja Bespoke exploit · hunting DSP [LLM] NosyDoor persistence: scheduled task 'OneDrive Reporting Task-S-1-5-21-' under Microsoft folder Bespoke install · alerting DSΣP [LLM] MuddyViper persistence via ManageOnDriveUpdater scheduled task or Startup folder hijack Bespoke install · alerting DSPDDCS [LLM] Malicious '.github/workflows/discussion.yaml' workflow file created by npm/node Bespoke install · alerting DSΣPDDCS [LLM] Shai-Hulud persistence artifact: shai-hulud-workflow.yml file dropped on disk Bespoke install · alerting DSΣPDDCS

Articles citing this technique (21)

crit Early Warning Signs of Supply-Chain Attacks Live in the Dark Web art-27

high Argamal: Malware hidden in hentai games art-137

crit [GHSA / CRITICAL] CVE-2026-46716: Nezha Monitoring: RoleMember can run shell on every server (cross-tenant RCE) via POST /api/v1/cron art-213

crit Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns art-217

crit Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload art-219

crit Tracking TamperedChef Clusters via Certificate and Code Reuse art-237

crit Webworm: New burrowing techniques art-240

crit Kimsuky targets organizations with PebbleDash-based tools art-308

crit FrostyNeighbor: Fresh mischief and digital shenanigans art-309

high Qinglong task scheduler RCE vulnerabilities exploited in the wild for cryptomining art-353

crit GlassWorm Hides a RAT Inside a Malicious Chrome Extension art-458

high Glassworm Strikes Popular React Native Phone Number Packages art-466

crit Operation MacroMaze: new APT28 campaign using basic tooling and legit infrastructure art-542

crit How a Malicious Google Skill on ClawHub Tricks Users Into Installing Malware art-564

crit DynoWiper update: Technical analysis and attribution art-590

high Fake Clawdbot VS Code Extension Installs ScreenConnect RAT art-594

crit LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan art-642

med MuddyWater: Snakes by the riverbank art-676

high SHA1-Hulud, npm supply chain incident art-686

high Zero-day Extensive NPM Package Compromise - Shai Hulud Supply Chain Attack art-789

crit CISA KEV: CVE-2024-49039 — Microsoft Windows Task Scheduler Privilege Escalation Vulnerability art-1089