Windows-based attackers leverage scheduled tasks for surreptitious continued access

In the ever-evolving landscape of cybersecurity, a common method used by attackers to maintain persistence in incidents is through the use of scheduled tasks on Windows systems. These tasks automate the execution of programs, scripts, or commands according to a schedule or trigger.

Persistence is a key goal in many cyber incidents, and scheduled tasks are one of the established methods alongside registry values, autostart entries, and services. Attackers can create new tasks and modify existing ones to carry out their malicious activities.

Microsoft provides extensive documentation on scheduled tasks, detailing each part of a task and how it functions. You can find this information here.

The command line is one of the primary interfaces for managing scheduled tasks. The executable file is used to create a task, and the parameter specifies the user under which the task should run. Additionally, PowerShell can be used to create a scheduled task using the cmdlet, and WMI can also be employed with PowerShell and the cmdlet.

Scheduled tasks are displayed in the Security Event Log under Event ID 4698, but this event is not enabled by default. Security log event ID 4698 shows task creation, but requires advanced monitoring policies. Investigating malicious scheduled tasks involves analyzing their creation variants, such as those that play a significant role in cases like ransomware attacks or persistence through initial access brokers.

Organizations should define a baseline for normal scheduled tasks to quickly detect deviations. Log forwarding, EDR, and Sysmon telemetry are essential for defense in this regard. Short, recurring intervals, such as every five minutes, and the origin of creation provide valuable clues.

Attackers can modify existing tasks to hide their activities, making it crucial for organizations to monitor command line activities and process tracking. On a modern Windows system, scheduled tasks are often found in various locations such as C:\windows\tasks, C:\windows\system32\tasks, C:\windows\system32\config\SOFTWARE, and %localappdata%\Microsoft\Windows\PowerShell\ScheduledJobs.

For instance, a task named "TelemetryUpdater" located in C:\Windows\System32\Tasks\Microsoft\Windows\Update runs every 5 minutes. This task uses the parameters , , , , , and .

Moreover, the executed command contains the word "miner" and passes parameters over port 333 to a specific URL, indicating malicious use. Opening a scheduled task file reveals it in a common XML format that describes the trigger, action, principal (user or permissions), and some other information.

In some cases, the task uses the command line to start from an unusual path, such as C:\ProgramData\System. Scheduled tasks are also stored as XML files under C:\Windows\System32\Tasks, sometimes in subfolders, and can be named arbitrarily.

It's worth noting that in 2025, many threat actors still prefer to use classic methods, including scheduled tasks in Windows, over novel zero-day exploits or complex rootkits. This underscores the importance of understanding and monitoring scheduled tasks in maintaining a secure Windows environment.

Windows-based attackers leverage scheduled tasks for surreptitious continued access