Detections
Analytics
Scheduled Task/Job: Scheduled Task
Description
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task.
Products, Sensors, and Dependencies
| Product | Dependencies | Data source | Access required | Protocol | Data Collected | Notes |
|---|---|---|---|---|---|---|
| Tenable Vulnerability Management | Advanced Network Scan | Windows machines | Authenticated Scan | SMB | Scheduled Task | Plugin ID: 70625 |
References
Attack Path Technique Details
Framework: MITRE ATT&CK
Family: Execution, Persistence, Privilege Escalation
Technique: Scheduled Task/Job
Sub-Technique: Scheduled Task
Platform: Windows
Products Required: Tenable Vulnerability Management
Tenable Release Date: 2023 Q3