Introduction
New and emerging threats may get the headlines, but if they’re all you’re focused on, your defense is hardly scraping the attack surface.
Tried-and-true techniques might not set Twitter on fire or snag all the clicks, but they are much more likely to take you out than something like a novel zero day. Adversaries like nation-states and ransomware tend to go for those attacks they know and love: phishing, unpatched vulnerabilities, scheduled tasks, and many many more.
Think about it this way: It’s great to stock up on seasonal goodies at the store, but you always need flour, sugar, and butter at home. That’s why we’re switching up our usual new and emerging threat content (that’s not going anywhere, don’t worry) and helping you defend yourself against the Adversary’s Arsenal in our newest series. We’ll be illuminating each point in the kill chain where you can either secure a win for the good guys, or a very long weekend for your incident response team.
Our first installment is all about T1053 – Scheduled Tasks. We’ll show you how to tell a false positive from a true one with this misleading technique using two incidents: one from the DFIR report, and one involving Conti in our platform.
Recent Relevant Intel
- https://app.snapattack.com/intelligence/e406277c-e4d3-40fc-981f-550cc90193e9 – Intelligence: Threat Hunting #25 – Scheduled Tasks for Persistence and/or Remote Execution
- https://app.snapattack.com/intelligence/07b682fb-a6f4-4386-ada0-c689e345a03e – Intelligence: HTML Smuggling Leads to Domain Wide Ransomware
- https://app.snapattack.com/intelligence/5d80bee3-f870-4456-a9d9-e1b7df73d4a1 – Intelligence: From ScreenConnect to Hive Ransomware in 61 hours
- https://app.snapattack.com/intelligence/36c5c853-4ad4-4889-95f8-3a23d9dea2b6 – Intelligence: Ukraine’s CERT Thwarts APT28’s Cyberattack on Critical Energy Infrastructure
Methods of Execution
Key Insights
Windows:
- Task Scheduler (GUI):
- Task Scheduler: This is the built-in graphical tool for creating and managing scheduled tasks on Windows. You can access it by searching for “Task Scheduler” in the Start menu or Control Panel. You can create tasks with triggers, actions, and conditions through a user-friendly interface.
- Command Line:
- Schtasks: You can use the schtasks command-line utility to create, modify, or delete scheduled tasks. Open Command Prompt or PowerShell and run schtasks /create followed by the task details.
- Example: schtasks /create /tn “MyTask” /tr “C:\Path\to\YourScript.bat” /sc daily /st 08:00
- Windows Task Scheduler XML File:
- You can export a scheduled task as an XML file from Task Scheduler and then import it on another machine using the schtasks command or Task Scheduler’s import feature.
- Example (importing from XML file): schtasks /create /xml “C:\Path\to\YourTask.xml”
- PowerShell:
- New-ScheduledTask: PowerShell provides cmdlets like New-ScheduledTask that allow you to create scheduled tasks programmatically.
- Example: Register-ScheduledTask -TaskName “MyTask” -Action (New-ScheduledTaskAction -Execute “C:\Path\to\YourScript.bat”) -Trigger (New-ScheduledTaskTrigger -Daily -At 08:00)
- AT:
- The at.exe method is another way to schedule tasks on Windows, specifically for one-time or immediate scheduling.
- Example: at 15:45 09/30/2023 myscript.bat
- Group Policy:
- If you’re managing multiple computers in a networked environment, you can use Group Policy to deploy scheduled tasks across multiple machines.
- Registry:
- While not recommended for most users, you can manually create scheduled tasks by editing the Windows Registry directly.
- Third-Party Software:
- There are third-party applications like “Advanced Task Scheduler,” “VisualCron,” and “AutoIt” that offer advanced features and more user-friendly interfaces for creating scheduled tasks.
Links to Content
- SnapAttack – Detection: Scheduled task created in a Group Policy Object
- SnapAttack – Detection: Persistence and Execution at Scale via GPO Scheduled Task
- SnapAttack – Detection: Powershell Create Scheduled Task
- SnapAttack – Detection: Interactive AT Job
- SnapAttack – Detection: Suspicious Add Scheduled Task Parent
- SnapAttack – Threat: PowerShell Modify A Scheduled Task
- SnapAttack – Threat: Powershell Cmdlet Scheduled Task
- SnapAttack – Threat: UNC2565, GOOTLOADER, Create Scheduled Task
Linux:
- Cron Jobs: Cron is a time-based job scheduler in Linux. You can use the crontab command to create, edit, and manage cron jobs. Cron jobs can be scheduled to run at specific times, intervals, or on specific days of the week or month.
- To edit a user’s crontab, open a terminal and run: crontab -e
- Then: Add your scheduled tasks in the crontab file using the cron syntax (e.g., * * * * * command-to-run).
- Example (run a script every day at 3:00 PM): 0 15 * * * /path/to/your/script.sh
- Systemd Timers: On systems using systemd (such as most modern Linux distributions), you can create timer units to schedule tasks. Timer units are often used in combination with service units.
- To create a systemd timer, you’ll typically create two unit files: a .timer unit that defines when and how often the task should run, and a .service unit that defines the task itself.
- Example (create a timer that runs a script every day at 2:30 PM): Create a .timer unit file (e.g., /etc/systemd/system/mytask.timer):
- [Unit]
Description=My Scheduled Task Timer - [Timer]
OnCalendar=*-*-* 14:30:00
Persistent=true - [Install]
WantedBy=timers.target
- [Unit]
- Create a corresponding .service unit file (e.g., /etc/systemd/system/mytask.service) that specifies the task to run.
- Enable and start the timer with: systemctl enable mytask.timer systemctl start mytask.timer
- Anacron: Anacron is a tool for running periodic jobs on systems that may not always be running, like laptops. Anacron jobs are defined in configuration files located in /etc/anacrontab or /etc/cron.daily, and they run at intervals you specify.
- at Command: Similar to Windows, Linux also has the at command for scheduling one-time tasks. Use the at command followed by the desired time and date to schedule a task.
- Example (run a script at 3:30 PM today): at 15:30 script.sh
Links to Content
- SnapAttack – Detection: Linux At Application Execution
- SnapAttack – Detection: Linux Possible Append Cronjob Entry on Existing Cronjob File
- SnapAttack – Detection: Linux Service File Created In Systemd Directory
Persistence
Key Insights
Scheduled tasks can be used to establish a persistent backdoor or maintain a connection to a command and control (C2) server. The scheduled task can periodically execute a script that establishes a reverse shell or connects to a remote server, allowing the attacker to control the compromised system remotely. Attackers often give their malicious scheduled tasks names and descriptions that mimic legitimate system tasks or applications. This can help them blend in with normal system activity and avoid detection. Scheduled tasks can also be configured to run at system startup or login, ensuring that the attacker’s code or actions are executed even after a system reboot.
Links to Content
- SnapAttack – Threat: CACTUS Ransomware – SSH Backdoor via Scheduled Task
- SnapAttack – Detection: Persistence Via Cron Files
- SnapAttack – Threat: Modify Scheduled Task for Persistence
- SnapAttack – Detection: Scheduled Task Executing Encoded Payload from Registry
- SnapAttack – Threat: Scheduled Task Executing Base64 Encoded Commands From Registry
- SnapAttack – Detection: Persistence via Scheduled Task Creation Command
- SnapAttack – Threat: QwixxRAT Sample Execution
- SnapAttack – Detection: Persistence via Scheduled Task Creation Event
Privilege Escalation
Key Insights
Scheduled tasks can be set up to execute with elevated privileges, which can lead to privilege escalation. For example, a scheduled task may run as a system service, providing the attacker with higher levels of access and control. Attackers can also identify existing scheduled tasks that run with elevated privileges or as privileged users. They may then overwrite these tasks with their own malicious code or scripts. When the legitimate task runs, it executes the attacker’s code with the same elevated privileges.
Links to Content
- SnapAttack – Detection: Schtasks Creation Or Modification With SYSTEM Privileges
- SnapAttack – Threat: Creating W32Time similar named service using schtasks
- SnapAttack – Detection: Suspicious Schtasks Schedule Type With High Privileges
Lateral Movement
Key Insights
Attackers can create scheduled tasks on remote systems using compromised credentials that act as droppers for malicious payloads. These payloads can be designed to execute on remote systems, either copying themselves or downloading additional malicious tools onto target systems.
Links to Content
- SnapAttack – Detection: Schtasks scheduling job on remote system
- SnapAttack – Detection: Scheduled Task Initiation on Remote Endpoint
- SnapAttack – Detection: Scheduled Task Creation on Remote Endpoint using At
Impair Defenses
Key Insights
Attackers can delete or modify critical scheduled tasks that are responsible for system security, backup, or updates. This can disrupt routine operations and create security gaps.
Links to Content
- SnapAttack – Detection: Disable Important Scheduled Task
