> For the complete documentation index, see [llms.txt](https://www.ired.team/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.ired.team/offensive-security/persistence/t1053-schtask.md).

# Schtask

## Execution

Creating a new scheduled task that will launch shell.cmd every minute:

{% code title="attacker\@victim" %}

```bash
schtasks /create /sc minute /mo 1 /tn "eviltask" /tr C:\tools\shell.cmd /ru "SYSTEM"
```

{% endcode %}

## Observations

Note that processes spawned as scheduled tasks have `taskeng.exe` process as their parent:

![](/files/-LHy68PyzZEhWDrkWOlD)

Monitoring and inspecting commandline arguments and established network connections by processes can help uncover suspicious activity:

![](/files/-LHz01Kwl65cvw5hpiqi)

![](/files/-LHyzlcSRavyqDnRP4qt)

Also, look for events 4698 indicating new scheduled task creation:

![](/files/-LHz92WU-MFxxlBGMnRi)

### Lateral Movement

Note that when using schtasks for lateral movement, the processes spawned do not have taskeng.exe as their parent, rather - svchost:

{% code title="attacker\@victim" %}

```bash
schtasks /create /sc minute /mo 1 /tn "eviltask" /tr calc /ru "SYSTEM" /s dc-mantvydas /u user /p password
```

{% endcode %}

![](/files/-LHz3Z0gLOeaUDeDoNqv)

## References

{% embed url="<https://attack.mitre.org/wiki/Technique/T1053>" %}

{% embed url="<https://docs.microsoft.com/en-us/windows/desktop/taskschd/schtasks>" %}
