Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. Theschtaskscan be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task.The deprecated at utility could also be abused by adversaries (ex: At (Windows)), though
at.execan not access tasks created withschtasksor the Control Panel.An adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account (such as SYSTEM).
Run an exe on user logon or system startup. Upon execution, success messages will be displayed for the two scheduled tasks. To view the tasks, open the Task Scheduler and look in the Active Tasks pane.
Supported Platforms: Windows
schtasks /create /tn "T1053_005_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe"
schtasks /create /tn "T1053_005_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe"schtasks /delete /tn "T1053_005_OnLogon" /f >nul 2>&1
schtasks /delete /tn "T1053_005_OnStartup" /f >nul 2>&1Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10.
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| task_command | What you want to execute | String | C:\windows\system32\cmd.exe |
| time | What time 24 Hour | String | 72600 |
SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}SCHTASKS /Delete /TN spawn /F >nul 2>&1Create a task on a remote system.
Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10 on a remote endpoint.
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| task_command | What you want to execute | String | C:\windows\system32\cmd.exe |
| time | What time 24 Hour | String | 72600 |
| target | Target | String | localhost |
| user_name | Username to authenticate with, format: DOMAIN\User | String | DOMAIN\user |
| password | Password to authenticate with | String | At0micStrong |
SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}SCHTASKS /Delete /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /F >nul 2>&1Create an atomic scheduled task that leverages native powershell cmdlets.
Upon successful execution, powershell.exe will create a scheduled task to spawn cmd.exe at 20:10.
Supported Platforms: Windows
$Action = New-ScheduledTaskAction -Execute "calc.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTask -InputObject $objectUnregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false >$null 2>&1