Skip to content

DET0094 Cross-Platform Behavioral Detection of Scheduled Task/Job Abuse

Item Value
ID DET0094
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1053 (Scheduled Task/Job)

Analytics

Windows

AN0258

Detects creation or modification of scheduled tasks using schtasks.exe, at.exe, or COM objects followed by execution of outlier processes tied to the scheduled job.

Log Sources
Data Component Name Channel
Scheduled Job Creation (DC0001) WinEventLog:Security EventCode=4698
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
File Modification (DC0061) WinEventLog:Sysmon EventCode=2
Mutable Elements
Field Description
TaskAuthor Unexpected user or account context initiating the task.
CommandLineRegex Suspicious binaries or script usage tied to scheduled tasks.
ExecutionWindow Lookback window to correlate process execution after task registration.

Linux

AN0259

Detects creation or modification of cron jobs via crontab, /etc/cron.* directories, or systemd timer units with execution by unusual users or non-standard intervals.

Log Sources
Data Component Name Channel
File Modification (DC0061) auditd:SYSCALL write, rename
Process Creation (DC0032) auditd:SYSCALL execve
Scheduled Job Creation (DC0001) linux:osquery crontab, systemd_timers
Mutable Elements
Field Description
CronSchedulePattern Look for high-frequency or off-hour scheduling patterns.
ServiceUser Unusual users scheduling jobs (e.g., www-data, nobody).
BinaryEntropy Abnormal scripts or binaries tied to the scheduled job.

macOS

AN0260

Detects creation or alteration of LaunchAgents or LaunchDaemons with corresponding plist modification followed by execution of associated binaries.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog process launch
File Creation (DC0039) fs:fsusage disk activity on /Library/LaunchAgents or LaunchDaemons
Scheduled Job Creation (DC0001) macos:osquery launchd_jobs
Mutable Elements
Field Description
PlistLabel Labels not associated with known applications or vendors.
LaunchPath Executable path outside of standard directories (/usr/bin, /Applications).
JobRunInterval Unexpected periodic job intervals (e.g., every minute).

Containers

AN0261

Detects unusual use of cron or sleep loops inside containers executing unfamiliar scripts or binaries repeatedly.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
File Modification (DC0061) containerd:runtime file change monitoring within /etc/cron.*, /tmp, or mounted volumes
Mutable Elements
Field Description
ContainerLabel Labels or tags indicating dev/test containers executing scheduled tasks.
ScriptFrequency Repetitive invocation pattern within short container lifespan.
ImageSource Unexpected container image sources creating cron entries.

ESXi

AN0262

Detects modification of ESXi cron jobs, local.sh scripts, or scheduled API calls to persist custom binaries or shell scripts.

Log Sources
Data Component Name Channel
Scheduled Job Creation (DC0001) esxi:vmkernel Startup script and task execution logs
Command Execution (DC0064) esxi:hostd shell access or job registration
File Modification (DC0061) esxi:cron manual edits to /etc/rc.local.d/local.sh or cron.d
Mutable Elements
Field Description
StartupScriptName Filename not matching expected initialization scripts.
ExecutionContext Commands run from unexpected SSH sessions or elevated shells.
PersistenceInterval Rare scheduling triggers (e.g., @reboot + hourly repetition).