Skip to content

DS0003 Scheduled Job

Automated tasks that can be executed at a specific time or on a recurring schedule running in the background (ex: Cron daemon, task scheduler, BITS)1

Item Value
ID DS0003
Platforms Containers, Linux, Windows, macOS
Collection Layers Container, Host
Version 1.0
Created 20 October 2021
Last Modified 30 March 2022

Data Components

Scheduled Job Creation

Initial construction of a new scheduled job (ex: Windows EID 4698 or /var/log cron logs)

Domain ID Name
ics T0849 Masquerading
enterprise T1053 Scheduled Task/Job
enterprise T1053.002 At
enterprise T1053.003 Cron
enterprise T1053.005 Scheduled Task
enterprise T1053.006 Systemd Timers
enterprise T1053.007 Container Orchestration Job

Scheduled Job Metadata

Contextual data about a scheduled job, which may include information such as name, timing, command(s), etc.

Domain ID Name
enterprise T1036 Masquerading
enterprise T1036.004 Masquerade Task or Service

Scheduled Job Modification

Changes made to a scheduled job, such as modifications to the execution launch (ex: Windows EID 4702 or /var/log cron logs)

Domain ID Name
enterprise T1070 Indicator Removal
enterprise T1070.009 Clear Persistence
enterprise T1036 Masquerading
enterprise T1036.004 Masquerade Task or Service
ics T0849 Masquerading

References

  1. Microsoft. (2018, May 31). Tasks. Retrieved September 28, 2021. 

  2. Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016. 

  3. Satyajit321. (2015, November 3). Scheduled Tasks History Retention settings. Retrieved December 12, 2017.