AN0258: Analytic 0258
Detects creation or modification of scheduled tasks using schtasks.exe, at.exe, or COM objects followed by execution of outlier processes tied to the scheduled job.
Analyst context for executives and security teams
This analytic matters because Windows scheduled tasks are a common persistence and automation mechanism, and the supplied ATT&CK object focuses on detecting task creation or modification followed by unusual process execution tied to that task. For leaders, the decision value is whether the organization can reliably see and investigate changes to scheduled execution paths before they become a persistence blind spot during an incident.
Executive priority
Prioritize this as a Windows visibility and incident-readiness control check. Security leaders should ask whether SOC teams can prove they collect scheduled task creation/modification evidence, connect it to subsequent process execution, and distinguish normal administration from outlier behavior. This supports resilience, audit evidence for endpoint monitoring, and faster incident scoping when scheduled jobs are suspected.
Technical view
For Windows environments, validate detection logic that correlates scheduled task creation or modification using schtasks.exe, at.exe, or COM objects with later execution of unusual child or related processes associated with the scheduled job. Because the official detection text is not provided and no ATT&CK relationships are supplied, teams should treat this as an analytic validation target rather than a complete detection specification. Focus on correlation quality, process lineage, task metadata, command-line capture, and baselining expected scheduled task behavior.
Likely telemetry
- Windows process creation events, including executable name, command line, parent process, user, and host
- Scheduled task creation and modification events or equivalent endpoint telemetry
- Evidence of schtasks.exe and at.exe execution
- Telemetry indicating scheduled task activity through COM objects where available
- Subsequent process execution tied to the scheduled job
Detection direction
- Validate that telemetry can identify scheduled task creation or modification on Windows, not only task execution.
- Correlate task changes with later outlier process execution tied to the scheduled job, rather than alerting only on schtasks.exe or at.exe usage.
- Baseline legitimate administrative and software-maintenance scheduled tasks to reduce false positives.
- Check blind spots around COM-based scheduled task manipulation, incomplete command-line logging, missing task metadata, and short telemetry retention.
- Tune triage to preserve the relationship between task author, task definition, execution time, and resulting process behavior.
Mitigation priorities
- Ensure Windows endpoint logging and EDR coverage capture scheduled task changes and related process execution.
- Restrict and review administrative permissions that allow scheduled task creation or modification.
- Maintain an inventory or baseline of expected scheduled tasks on important Windows systems.
- Use change-control or administrative monitoring for new or modified scheduled jobs on sensitive assets.
- During incident response, include scheduled task review in persistence scoping and containment workflows.
Analyst notes and limits
The object is a detection analytic, AN0258, for Windows. It describes detection of scheduled task creation or modification using schtasks.exe, at.exe, or COM objects followed by execution of outlier processes tied to the scheduled job. No tactics, relationships, or official detection logic were supplied, so this take emphasizes validation questions and telemetry requirements rather than a precise rule.
This assessment is limited to the supplied ATT&CK fields and external reference. It does not establish active exploitation, attribution, impact, complete coverage, or applicability beyond Windows. Local baselines, available endpoint telemetry, and SOC correlation capability are required to determine operational value.
Analytic 0258
Detects creation or modification of scheduled tasks using schtasks.exe, at.exe, or COM objects followed by execution of outlier processes tied to the scheduled job.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 6d4653781441… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0258Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.