DET0094: Cross-Platform Behavioral Detection of Scheduled Task/Job Abuse
This detection strategy is intended to help defenders identify abuse of scheduled task or job mechanisms associated with ATT&CK technique T1053. The busine...
Analyst context for executives and security teams
This detection strategy is intended to help defenders identify abuse of scheduled task or job mechanisms associated with ATT&CK technique T1053. The business significance is that scheduled execution can turn a one-time compromise into recurring execution, persistence, or privilege escalation, which affects incident containment and recovery confidence. Because the object has no official detection text or platform list of its own, teams should treat it as a prompt to validate coverage around the related technique rather than as a complete analytic specification.
Executive priority
Prioritize this as a resilience and incident-readiness question: can the organization prove it can see and investigate suspicious scheduled task/job activity before it enables recurring execution or persistence? Security leaders should ask whether SOC monitoring, IR playbooks, and audit evidence cover the environments tied to the related ATT&CK technique: Containers, ESXi, Linux, and macOS. Budget and control decisions should focus on telemetry availability, retention, ownership of scheduled execution mechanisms, and response authority to disable or investigate unauthorized jobs.
Technical view
The supplied relationship states this strategy detects T1053, Scheduled Task/Job, which is associated with execution, persistence, and privilege escalation. SOC and detection engineering teams should validate behavioral analytics that identify creation, modification, or suspicious execution of scheduled jobs across the supported related platforms: Containers, ESXi, Linux, and macOS. Because ATT&CK provides no official detection logic for DET0094 in the supplied fields, local baselining is required to distinguish administrative automation from anomalous scheduled execution.
Likely telemetry
- Scheduled task/job creation and modification records where available
- Process execution telemetry tied to scheduled job launchers or schedulers
- Command-line and script execution metadata
- Authentication and privilege context for the account creating or modifying jobs
- Container, ESXi, Linux, and macOS host or platform logs relevant to scheduled execution
Detection direction
- Validate that monitoring covers scheduled job creation, modification, deletion, and execution outcomes, not only process starts.
- Tune detections against known administrative automation, maintenance windows, and approved orchestration to reduce false positives.
- Correlate scheduled job changes with identity context, privilege level, source host, and subsequent process execution.
- Use the related T1053 tactics—execution, persistence, and privilege escalation—to prioritize alerts where scheduled jobs create recurring or elevated execution paths.
- Identify blind spots in Container, ESXi, Linux, and macOS logging, since DET0094 itself does not provide platform-specific detection details.
Mitigation priorities
- Establish ownership and approval paths for legitimate scheduled tasks and jobs.
- Restrict who can create or modify scheduled execution mechanisms, especially in privileged contexts.
- Maintain logging and retention sufficient to reconstruct scheduler changes during incident response.
- Baseline expected scheduled jobs and automation so unexpected additions or changes are reviewable.
- Include scheduled task/job review in incident containment and recovery checklists to reduce persistence risk.
Analyst notes and limits
The value of this object is relationship-driven: DET0094 is a detection strategy for T1053 Scheduled Task/Job. The supplied ATT&CK fields do not include an official description, official detection text, tactics, or platforms for the detection strategy itself, so recommendations are framed around the related technique and conservative defensive validation.
This take is limited to the supplied STIX fields, external reference, and the relationship to T1053. It does not assert active exploitation, actor usage, guaranteed detection, or coverage of platforms beyond the related technique context. Local scheduler implementations, logging configuration, and administrative practices must determine final analytic logic and severity.
Cross-Platform Behavioral Detection of Scheduled Task/Job Abuse
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1053 | Scheduled Task/Job | This object detects Scheduled Task/Job. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 8dc0162f2de5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0094Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.