A scheduled task backdoor uses the Windows Task Scheduler to re-run an attacker’s payload on a trigger: at logon, at boot, on idle, or every few minutes. It is durable and flexible, a task can run as SYSTEM and survive reboots, and it blends in with the many legitimate scheduled tasks. Creating a task for all users or as SYSTEM needs admin; per-user tasks do not. It maps to MITRE T1053.005 and is a staple of Windows persistence.
What it is
The Windows Task Scheduler runs programs automatically based on triggers (a time, logon, boot, an event) and can run them under a chosen account, including SYSTEM. Legitimate software uses it constantly for updates and maintenance.
A scheduled task backdoor is simply a task the attacker creates whose action is their payload and whose trigger guarantees it runs again, giving reliable, repeatable execution.
The technique and payload
The attacker registers a task that relaunches their payload:
- At logon:
schtasks /create /tn "Updater" /tr "C:\Users\Public\p.exe" /sc onlogon - Every 5 minutes (resilient C2 callback):
schtasks /create /tn "Sync" /tr "p.exe" /sc minute /mo 5 - As SYSTEM (needs admin): add
/ru SYSTEM. - PowerShell
Register-ScheduledTaskdoes the same.
The task persists across reboots and reappears on its trigger. Documented for defensive context.
How to defend
- Monitor task creation and changes (Security event 4698, Sysmon); alert on tasks running from user-writable paths or scripting hosts.
- Baseline legitimate scheduled tasks so new ones stand out.
- Use application allow-listing so a task cannot launch an unknown binary.
- Limit local admin to block SYSTEM and all-user tasks.
- Review tasks with frequent triggers (every-minute callbacks are suspicious).
References
- [1]MITRE ATT&CK: Scheduled Task/Job (T1053)(MITRE)
- [2]Microsoft: Task Scheduler(Microsoft)
- [3]MITRE ATT&CK: Persistence (TA0003)(MITRE)