DC0001: Scheduled Job Creation
The establishment of a task or job that will execute at a predefined time or based on specific triggers.
Analyst context for executives and security teams
Scheduled Job Creation matters because a task or job that runs later, or on a trigger, can change when and how activity appears to defenders. For leaders, the decision point is whether the organization can prove who created scheduled execution, what will run, and when it is expected to run across in-scope systems. The ATT&CK object is a data component only, so it should be used as a telemetry and evidence requirement rather than as a complete detection rule.
Executive priority
Prioritize this as an auditability and incident-readiness control: if teams cannot reliably see newly established scheduled tasks or jobs, they may struggle to reconstruct events, validate authorized automation, or make timely containment decisions. Budget and control discussions should focus on whether scheduled execution changes are logged, retained, reviewed, and tied to accountable identities and assets. Because no platforms, tactics, or relationships are supplied, scope should be determined from the local environment rather than assumed from ATT&CK metadata.
Technical view
SOC, detection, and IR teams should validate visibility into the establishment of scheduled tasks or jobs that execute at predefined times or trigger conditions. Since the official object provides no detection guidance and no platform scope, detections should begin with an inventory of where scheduled execution exists, then confirm that creation events include creator identity, asset or resource, creation time, trigger details, and the configured action where available. Analysts should tune against known administrative automation, deployment tools, and maintenance jobs while preserving the ability to identify unexpected new scheduled execution.
Likely telemetry
- Scheduled task or job creation events
- Scheduler configuration or state-change records
- Identity or account context associated with job creation
- Asset, host, or resource context where the job was established
- Trigger timing or trigger-condition metadata
Detection direction
- Validate that creation of scheduled jobs is logged, not only execution of existing jobs.
- Baseline expected automation and maintenance schedules so new or unusual scheduled execution can be reviewed with fewer false positives.
- Confirm logs preserve enough context to answer who created the job, where it was created, what it will run, and what trigger will start it.
- Test retention and searchability for incident response timelines, because delayed or trigger-based execution may be investigated after creation time.
- Do not assume platform coverage from this ATT&CK object; map local schedulers and automation services before claiming coverage.
Mitigation priorities
- Inventory authorized scheduled execution mechanisms in the environment.
- Restrict who can create or modify scheduled tasks and jobs based on operational need.
- Require change control or approval evidence for administrative automation where practical.
- Monitor and review new scheduled job creation events, especially outside expected administrative workflows.
- Retain creation-event telemetry long enough to support incident response and compliance evidence needs.
Analyst notes and limits
This object is ATT&CK data component DC0001, Scheduled Job Creation. It describes the establishment of a task or job that will execute at a predefined time or based on triggers. No official detection text, platforms, tactics, aliases, or relationship context were supplied, so this take frames the object as a visibility requirement and avoids platform-specific assumptions.
The supplied ATT&CK fields are sparse. There is no official detection guidance, no related techniques, no platform list, and no relationship context. Local scheduler technologies, logging sources, identity model, retention requirements, and approved automation patterns are required to turn this into concrete detections or control validation.
Scheduled Job Creation
The establishment of a task or job that will execute at a predefined time or based on specific triggers.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 3.0 | Current bundle | 53939c11aaee… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DC0001Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.