Scheduled Task
Info
ID: AT-DC007
Tactic: Deepening Control
Sub-techniques: At, Container, Cron, Orchestration Job, Systemd Timers
Platforms: Linux, macOS, Windows, K8s, IaaS
Permissions Required: User, Administrator
Version: 1.0
Scheduled Task/Job
Adversaries may schedule periodic tasks - such as cron jobs, systemd timers, or Kubernetes CronJobs - to execute or redeploy malicious payloads automatically. By embedding these tasks with root or elevated privileges, attackers ensure their code runs regularly, establishing persistence. Even if defenders remove or kill compromised containers or processes, the scheduler can recreate them.
Cloud orchestration tools often rely on job scheduling for maintenance, scaling, or housekeeping tasks. Attackers hijacking these features can craft malicious jobs that go unnoticed in routine operational noise. The persistent nature of scheduled tasks can also revert or self-heal any attempted remediation, turning them into a reliable fallback for continuous re-compromise if defenders don't fully remove the attacker's scheduling hooks.
Detection
| ID | Data Source | Detection |
|---|---|---|
| DS0003 | Scheduled Job Creation | Track creation of new scheduled tasks and jobs. |
| DS0009 | Process Creation | Detect invocations of schtasks, crontab, systemctl timer, or kubectl create cronjob by non-admin service accounts. |
| DS0022 | File: File Access | Monitor file modifications where command path of scheduled task\job points to user-writable directories. |
| DS0032 | Container Creation | Alert on CronJobs that mount secrets/configMaps not referenced by any other workload. |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1026 | Privileged Account Management | Implement least privilege for scheduled task creation and execution |
| M1018 | User Account Management | Implement proper access controls for task scheduling capabilities |
| M1040 | Behavior Prevention on Endpoint | Implement endpoint detection to monitor scheduled task activities |