MITRE ATT&CK

Windows Scheduled Tasks allow users to automate the execution of predefined actions based on specified triggers. Attackers often leverage this feature to maintain persistence on a compromised system by scheduling malicious code execution. This can be done through the GUI tool or command-line utilities like schtasks.exe.

Scheduled Tasks as a Persistence Mechanism

How Attackers Use Scheduled Tasks

• Attackers create tasks that execute malware at specific times, events, or system boot
• Tasks persist through reboots and can be scheduled for SYSTEM or high-privilege accounts.
• Tasks can be hidden by modifying registry permissions (SD value) or deleting GUI-visible entries.

Creating a Scheduled Task (Example Command)

schtasks /create /tn "mysc" /tr C:\\Users\\Public\\test.exe /sc ONLOGON /ru "System"

Command Breakdown:

• /tn – Task name.
• /tr – The command or program that runs.
• /sc – Schedule type (e.g., ONLOGON, DAILY, HOURLY).
• /ru – Specifies the user account under which the task runs.

Scheduled Tasks in the Registry

All scheduled tasks are registered under the following registry keys:

• HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Tasks
• HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache