Live Active security incident? Get immediate response
MITRE ATT&CK® Tool

S0111: schtasks

schtasks is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time. [1]

EnterpriseS0111ToolObject v1.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

schtasks is a legitimate Windows command-line utility for scheduling programs or scripts. Its business relevance is that the same built-in function administrators use for automation can also support adversary execution, persistence, and privilege-escalation behavior through Windows Scheduled Tasks. Because it is native to Windows, risk is less about blocking a rare tool and more about proving the organization can distinguish expected operational task scheduling from suspicious or unauthorized task creation and execution.

Executive priority

Security leaders should treat schtasks coverage as a Windows resilience and incident-readiness question: do SOC and IR teams have enough endpoint and command-line visibility to explain who created or changed scheduled tasks, what ran, when it ran, and under which account? This matters for continuity because recurring execution mechanisms can let unwanted code survive reboots or reappear after partial cleanup. It also supports audit and compliance evidence around administrative activity monitoring, privileged account use, and change control for scheduled automation.

Technical view

ATT&CK links schtasks to Scheduled Task behavior on Windows under execution, persistence, and privilege escalation. Detection teams should validate visibility into schtasks process execution and scheduled task creation, modification, deletion, and run events. Triage should focus on context: unusual parent processes, unexpected users, task names or paths outside known administration patterns, scripts or binaries launched from uncommon locations, and task activity near other suspicious Windows execution. Relationship context shows multiple ATT&CK groups have used this object, but the supplied data does not provide procedure-level detail; use that only as prioritization context, not as attribution evidence.

Likely telemetry

  • Windows endpoint process creation telemetry, including command line where available
  • Scheduled Task creation, modification, deletion, and execution events
  • User and account context for task registration and execution
  • Parent-child process relationships involving schtasks.exe
  • File path and script/binary execution details for task actions

Detection direction

  • Baseline approved scheduled tasks and normal administrative use of schtasks on Windows systems.
  • Alert or hunt for new or modified scheduled tasks that execute scripts, binaries, or commands outside expected operational locations.
  • Correlate schtasks execution with account context, parent process, host role, and timing to reduce false positives from legitimate administration.
  • Validate that telemetry captures command-line arguments and task action details; without these, distinguishing benign automation from suspicious scheduling is difficult.
  • Use the linked Scheduled Task technique context to align detections to execution, persistence, and privilege-escalation scenarios rather than treating schtasks as inherently malicious.

Mitigation priorities

  • Maintain an inventory of approved scheduled tasks on critical Windows systems.
  • Limit who can create or modify scheduled tasks through appropriate administrative privilege controls.
  • Review privileged and service account use for scheduled automation and remove unnecessary rights.
  • Include scheduled task inspection in incident response containment and eradication checklists.
  • Use change control or configuration management evidence to separate authorized automation from unexpected task creation.
Analyst notes and limits

schtasks is legitimate Windows software, so detection should be behavior- and context-driven. The ATT&CK object has no official detection text and no tactics directly assigned to the tool, but it is related to T1053.005 Scheduled Task, which provides the relevant execution, persistence, and privilege-escalation framing. Group relationships indicate reported use by APT3, BRONZE BUTLER, and Kimsuky in ATT&CK, but they should not be used alone for attribution.

This take is limited to the supplied ATT&CK fields and relationships. No official detection guidance, procedure examples, command patterns, or mitigation text were provided for this software object. Local baselines, endpoint logging configuration, administrative practices, and incident evidence are required to determine actual exposure or coverage.

Official MITRE ATT&CK definition

schtasks

schtasks is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1053.005 Scheduled Task Sub-technique

schtasks is used to schedule tasks on a Windows system to run at a specific date and time.CitationTechNet Schtasks
Associated objects

Groups, software, and campaigns

Group Enterprise

G0022: APT3

APT3 is a China-based threat group that researchers have attributed to China's Ministry of State Security.[1][2] This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.[1][3] As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.[4]

Group Enterprise

G0094: Kimsuky

Kimsuky is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean state-sponsored cyber espionage actors as a result of ad hoc collaborations or other limited resource sharing.[1][2][3][4][5][6]

Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).[7][8][9] In 2023, Kimsuky was observed using commercial large language models (LLMs) to assist with vulnerability research, scripting, social engineering and reconnaissance.[10]

DPRK threat actor cluster boundaries overlap in open source reporting, with some security researchers consolidating all attributed North Korean state-sponsored cyber activity under Lazarus Group, rather than tracking operationally distinct subgroups.

Group Enterprise

G0060: BRONZE BUTLER

BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry.[1][2][3]

Relationship explorer

All related ATT&CK context

uses · Group G0022: APT3 Enterprise uses · Group G0094: Kimsuky Enterprise uses · Group G0060: BRONZE BUTLER Enterprise uses · Technique T1053.005: Scheduled Task Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.2
Created
Modified
Raw hash
e8b8eb9d0b611e1b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.2 Current bundle e8b8eb9d0b61…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    TechNet Schtasks

    Microsoft. (n.d.). Schtasks. Retrieved April 28, 2016.

    Open source URL
  2. [2]
    mitre-attack S0111
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use