DETECTION OVERVIEW

Scheduled Task Enumeration

Risk Factors

Scheduled task enumeration is uncommon because it is more efficient to create a new task rather than enumerate and modify existing tasks. Enumeration activity typically does not negatively affect network performance, but attackers can leverage information to find new targets in an attack campaign.

The system might change the risk score for this detection.

Kill Chain

Reconnaissance

Risk Score

Attack Background

Microsoft Windows systems include a scheduled task feature that enables users to specify a time to run a script or program. An attacker can manipulate scheduled tasks to regularly run malicious programs, establishing a persistent presence on a victim device. Scheduled task enumeration is a reconnaissance technique an attacker can perform to determine which scheduled task to manipulate. First, an attacker must gain access to a victim device with a valid set of credentials and local administrator privileges. Next, the attacker can issue a command with a Windows utility (such as schtasks.exe). The utility sends multiple Microsoft remote procedure calls (MSRPC) to query each scheduled task about specific information such as the schedule name and the scheduled start time.

Mitigation Options

Limit the number of users with local administrator privileges in your environment

Implement network segmentation, security zones, and firewall policies that limit how devices can communicate

Professional Services

Partners

Partner Login

Partner Finder

View All Use Cases

View All Industries

View All Integrations

Attack Background

Mitigation Options

MITRE ATT&CK ID

What else can RevealX do for you?

View our Periodic Table of use cases