DC0005: Scheduled Job Metadata
Contextual data about a scheduled job, which may include information such as name, timing, command(s), etc.
Analyst context for executives and security teams
Scheduled Job Metadata is the contextual record of scheduled work: the job name, timing, and command or commands configured to run. For leaders, its value is not the metadata itself but whether the organization can prove what is scheduled to execute, when it runs, and what it runs. Without that visibility, SOC and IR teams may struggle to distinguish approved automation from suspicious persistence or operationally risky changes.
Executive priority
Treat this as a coverage and assurance question: can the business account for scheduled execution across relevant environments, and can responders quickly review those records during an incident? Because ATT&CK provides no platform, tactic, or detection guidance for this data component, priority should be driven by local reliance on scheduled jobs for business operations, audit needs, and incident response readiness.
Technical view
This object is a data component, not a technique. Validate that security teams can collect and search scheduled job context such as job name, timing, and configured command(s). Since no ATT&CK detection text or relationships are supplied, detections should be locally engineered around deviations from known-good scheduled job metadata, suspicious command content, unusual timing, or unapproved changes where the organization has reliable baselines.
Likely telemetry
- Scheduled job name metadata
- Scheduled job timing or schedule metadata
- Configured command or action metadata for scheduled jobs
- Periodic scheduled job inventory or snapshots where available
- Security or administrative records that expose scheduled job configuration where available
Detection direction
- First confirm collection exists; this data component has no official ATT&CK detection guidance.
- Build baselines of approved scheduled job names, schedules, and commands before treating differences as suspicious.
- Tune for operational false positives from legitimate administrative automation and business maintenance windows.
- During investigations, use scheduled job metadata to answer what is configured to run, when it runs, and whether the command aligns with approved activity.
- Document blind spots where scheduled job metadata is not collected or cannot be tied to a reliable inventory.
Mitigation priorities
- Establish ownership and review expectations for scheduled jobs in environments where they are operationally important.
- Maintain an approved inventory or baseline of expected scheduled job names, timing, and commands.
- Ensure incident responders and SOC analysts can rapidly access scheduled job metadata during triage.
- Use local change-control and administrative review processes to reduce untracked or unauthorized scheduled job configuration.
- Because ATT&CK supplies no mitigation guidance for this data component, validate controls against local systems and business processes.
Analyst notes and limits
The supplied ATT&CK object is sparse: it defines the data component and examples of metadata fields, but provides no platforms, tactics, detection text, or relationship context. The practical value is therefore in coverage validation and response readiness rather than a specific analytic prescribed by ATT&CK.
No active exploitation, attribution, platforms, tactics, techniques, or official detection logic are supplied. Any detection or prioritization must be validated against the organization’s actual scheduled job mechanisms, telemetry sources, and approved automation baseline.
Scheduled Job Metadata
Contextual data about a scheduled job, which may include information such as name, timing, command(s), etc.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | b34c2addb548… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DC0005Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.