| ID | Name |
|---|---|
| ATAGS-T1059.001 | At |
| ATAGS-T1059.002 | Container Orchestration Job |
| ATAGS-T1059.003 | Cron |
| ATAGS-T1059.004 | Scheduled Task |
| ATAGS-T1059.005 | Systemd Timers |
Threat actors may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, Threat actors have used a .NET wrapper for the Windows Task Scheduler, and alternatively, Threat actors have used the Windows netapi32 library and Windows Management Instrumentation (WMI) to create a scheduled task. Threat actors may also utilize the Powershell Cmdlet Invoke-CimMethod, which leverages WMI class PS_ScheduledTask to create a scheduled task via an XML path.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.