1. Home
  2. Data Components
  3. Scheduled Job Creation

Scheduled Job Creation

The establishment of a task or job that will execute at a predefined time or based on specific triggers.

*Data Collection Measures: *

  • Windows Event Logs:
    • Event ID 4698 (Scheduled Task Created) – Detects the creation of new scheduled tasks.
    • Event ID 4702 (Scheduled Task Updated) – Identifies modifications to existing scheduled jobs.
    • Event ID 106 (TaskScheduler Operational Log) – Provides details about scheduled task execution.
  • Sysmon (Windows):
    • Event ID 1 (Process Creation) – Detects the execution of suspicious tasks started by schtasks.exe, at.exe, or taskeng.exe.
  • Linux/macOS Monitoring:
    • AuditD: Monitor modifications to /etc/cron*, /var/spool/cron/, and crontab files.
    • Syslog: Capture cron job execution logs from /var/log/cron.
    • OSQuery: Query the crontab and launchd tables for scheduled job configurations.
  • Endpoint Detection and Response (EDR) Tools:
    • Track scheduled task creation and modification events.
  • SIEM & XDR Detection Rules:
    • Monitor for scheduled jobs created by unusual users.
    • Detect tasks executing scripts from non-standard directories.
ID: DC0001
Domains: ICS, Enterprise
Version: 2.0
Created: 20 October 2021
Last Modified: 21 October 2025

Log Sources

Name Channel
esxi:cron execution of scheduled job
esxi:hostd task creation events
esxi:vmkernel Startup script and task execution logs
kubernetes:apiserver verb=create, resource=cronjobs, group=batch
linux:cron Scheduled execution of unknown or unusual script/binary
linux:osquery crontab, systemd_timers
linux:osquery file_events
linux:syslog Execution of non-standard script or binary by cron
macos:cron cron/launchd
macos:osquery launchd_jobs
macos:osquery file_events - cron, launchd
macos:unifiedlog process: crontab edits, launch of cron job
Scheduled Job None
WinEventLog:Security EventCode=4698
WinEventLog:Security EventCode=4699
WinEventLog:TaskScheduler EventCode=106

Detection Strategy

ID Name Technique Detected
DET0397 Automated Exfiltration Detection Strategy T1020
DET0151 Behavior-chain, platform-aware detection strategy for T1124 System Time Discovery T1124
DET0010 Behavioral Detection of Event Triggered Execution Across Platforms T1546
DET0231 Behavioral Detection of Systemd Timer Abuse for Scheduled Execution T1053.006
DET0112 Boot or Logon Initialization Scripts Detection Strategy T1037
DET0094 Cross-Platform Behavioral Detection of Scheduled Task/Job Abuse T1053
DET0290 Cross-Platform Detection of Cron Job Abuse for Persistence and Execution T1053.003
DET0333 Cross-Platform Detection of Scheduled Task/Job Abuse via `at` Utility T1053.002
DET0206 Detection of Malicious Kubernetes CronJob Scheduling T1053.007
DET0117 Detection of Masqueraded Tasks or Services with Suspicious Naming and Execution T1036.004
DET0725 Detection of Masquerading T0849
DET0040 Detection of Persistence Artifact Removal Across Host Platforms T1070.009
DET0441 Detection of Suspicious Scheduled Task Creation and Execution on Windows T1053.005
DET0347 Detection Strategy for Masquerading via Legitimate Resource Name or Location T1036.005
DET0547 Detection Strategy for T1505 - Server Software Component T1505
DET0540 Multi-Platform Behavioral Detection for Compute Hijacking T1496.001