DET0441: Detection of Suspicious Scheduled Task Creation and Execution on Windows
DET0441 is a MITRE detection strategy for suspicious Windows Scheduled Task creation and execution, mapped to ATT&CK technique T1053.005. The business sign...
Analyst context for executives and security teams
DET0441 is a MITRE detection strategy for suspicious Windows Scheduled Task creation and execution, mapped to ATT&CK technique T1053.005. The business significance is that scheduled tasks can provide reliable recurring execution, persistence, or privilege-related execution paths on Windows systems, so weak visibility here can delay incident containment and make it harder to prove whether an endpoint remained clean after remediation.
Executive priority
Security leaders should treat this as a Windows endpoint resilience and incident-readiness control area. The key decision is whether the organization can show, with evidence, who created or ran scheduled tasks, on which systems, and whether those tasks match approved administration patterns. This matters for SOC triage, incident response scoping, audit evidence around privileged activity, and prioritizing endpoint telemetry and access control investments.
Technical view
The supplied relationship maps this detection strategy to T1053.005 Scheduled Task, associated with execution, persistence, and privilege-escalation tactics on Windows. SOC and detection teams should validate visibility into scheduled task creation and execution, especially activity involving Task Scheduler interfaces such as command-line use of schtasks or administrative GUI-driven task creation. Detections should focus on abnormal task names, paths, accounts, timing, command targets, parent processes, and deviations from known administrative baselines, while allowing for legitimate IT automation.
Likely telemetry
- Windows endpoint process creation telemetry, including command line and parent process context
- Scheduled task creation, modification, registration, and execution events
- Windows security and system logs showing account context and privilege use
- Endpoint file or configuration evidence for scheduled task definitions where available
- Asset, user, and administrative baseline data to distinguish approved automation from suspicious tasks
Detection direction
- Confirm that Windows systems in scope generate and forward telemetry for scheduled task creation and execution, not just process start events.
- Tune analytics around task creation by unusual users, unexpected hosts, suspicious execution paths, or tasks that run repeatedly outside normal maintenance windows.
- Correlate scheduled task activity with execution, persistence, and privilege-escalation investigation workflows because the related ATT&CK technique spans all three tactics.
- Account for false positives from software deployment tools, backup agents, monitoring products, and administrator maintenance scripts.
- Identify blind spots where local logs roll over quickly, endpoint agents omit command-line details, or privileged administrators can create tasks without centralized review.
Mitigation priorities
- Establish an approved baseline of scheduled tasks for critical Windows assets and investigate deviations.
- Limit who can create or modify scheduled tasks through least privilege and privileged access governance.
- Require administrative task creation to be attributable to named accounts or controlled service accounts.
- Retain sufficient endpoint and Windows log history to support incident response scoping after suspicious task activity.
- Include scheduled task review in endpoint hardening, IR containment checklists, and post-remediation validation.
Analyst notes and limits
The ATT&CK object itself provides no official description or detection text, so this take relies on the object name and its supplied relationship to T1053.005 Scheduled Task. The most important local validation is whether task creation and execution events are actually collected and correlated with user, host, and process context.
No ATT&CK-provided detection logic, data component list, platform field, or procedure examples were supplied for DET0441. The Windows focus is supported by the related T1053.005 technique and the detection strategy name, not by the detection strategy platform field itself. Local baselines are required to separate legitimate administration from suspicious scheduled task use.
Detection of Suspicious Scheduled Task Creation and Execution on Windows
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1053.005 | Scheduled Task Sub-technique | This object detects Scheduled Task. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 22f93cfeac37… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0441Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.