← LibraryTechnique entry
T1053Execution
Scheduled Task/Job
Use task schedulers to run code.
§ Where this technique fits
T1053 is catalogued under the Execution tactic of the offensive-security kill-chain. It appears in 2 approved dossiers in the registry, typically at step 4 on average.
Authoritative reference: attack.mitre.org/techniques/T1053/.
§ Dossiers chaining this technique
- step 4 / 6
Industroyer2 IEC-104 substation hijack
Timed payload speaks IEC-60870-5-104 to substation RTUs at attacker-chosen hour; sends 'open breaker' commands across a substation, blackouts a grid section.
- step 4 / 5
GPO write rights → Immediate scheduled task → SYSTEM on OU
GenericWrite on a linked GPO (or write rights to its SYSVOL folder) lets you drop a ScheduledTasks.xml that fires as SYSTEM on every machine in the OU at the next gpupdate.
§ What commonly comes next
- 01Command and Scripting Interpreterseen 1×T1059 · Execution
- 02IEC-104 Substation Controlseen 1×OT-ENERGY-IEC104 · Impact