Scheduled Job

Automated tasks that can be executed at a specific time or on a recurring schedule running in the background (ex: Cron daemon, task scheduler, BITS)^[1]

ID: DS0003

ⓘ

Platforms: Containers, Linux, Windows, macOS

ⓘ

Collection Layers: Container, Host

Contributors: Center for Threat-Informed Defense (CTID)

Version: 1.0

Created: 20 October 2021

Last Modified: 30 March 2022

Version Permalink

Live Version

Data Components

Scheduled Job: Scheduled Job Creation

Initial construction of a new scheduled job (ex: Windows EID 4698 or /var/log cron logs)

Scheduled Job: Scheduled Job Creation

Initial construction of a new scheduled job (ex: Windows EID 4698 or /var/log cron logs)

Domain	ID		Name	Detects
ICS	T0849		Masquerading	Monitor for newly constructed scheduled jobs that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.
Enterprise	T1053		Scheduled Task/Job	Monitor newly constructed scheduled jobs that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. On Windows systems, security event ID 4698 (A scheduled task was created) provides information on newly created scheduled tasks. It includes the TaskContent field, which contains an XML blob that captures key information on the scheduled task including the command to be executed. Analytic 1 - Scheduled Task Execution `source="*WinEventLog:Security" EventCode="4698" \| where NOT (TaskName IN ("\Microsoft\Windows\UpdateOrchestrator\Reboot", "\Microsoft\Windows\Defrag\ScheduledDefrag"))\| search TaskContent="powershell.exe" OR TaskContent="cmd.exe"`
		.002	At	Monitor for newly constructed scheduled jobs. If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. On Windows, enable the "Microsoft-Windows-TaskScheduler/Operational" setting within the event logging service where several events will then be logged on scheduled task activity, including:^[2] Event ID 106 on Windows 7, Server 2008 R2 - Scheduled task registered Event ID 4698 on Windows 10, Server 2016 - Scheduled task created Event ID 4700 on Windows 10, Server 2016 - Scheduled task enabled Event ID 4701 on Windows 10, Server 2016 - Scheduled task disabled Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. ^[3]
		.003	Cron	Monitor for newly constructed scheduled jobs. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc. Analytic 1 - Look for new cron job creation events with unusual parameters. `index=os_logs sourcetype=syslog (command="crontab -e" OR command="crontab -l")\| stats count by user host\| where user != "root" OR count > 1`
		.005	Scheduled Task	Monitor for newly constructed scheduled jobs by enabling the "Microsoft-Windows-TaskScheduler/Operational" setting within the event logging service. ^[2] Several events will then be logged on scheduled task activity, including Event ID 106 on Windows 7 and Server 2008 R2 for scheduled task registration. For Windows 10 and Server 2016, the relevant events are also logged in the Windows Security event channel after enabling the auditing of other object access events. These include: Event ID 4698: A scheduled task was created. Event ID 4699: A scheduled task was deleted. Event ID 4700: A scheduled task was enabled. Event ID 4701: A scheduled task was disabled. Event ID 4702: A scheduled task was updated. Note: Detection of the creation or modification of Scheduled Tasks with a suspicious script, extension or user writable path. Attackers may create or modify Scheduled Tasks for the persistent execution of malicious code. This detection focuses at the same time on EventIDs 4688 and 1 with process creation (SCHTASKS) and EventID 4698, 4702 for Scheduled Task creation/modification event log. Analytic 1 - New schedule tasks whose content includes suspicious scripts, extensions or user writable path (source="*WinEventLog:Security" EventCode IN (4698, 4702, 4699, 4700, 4701)) \| where(JobContent LIKE '%.cmd%' OR JobContent LIKE '%.ps1%' OR JobContent LIKE '%.vbs%' OR JobContent LIKE '%.py%' OR JobContent LIKE '%.js%' OR JobContent LIKE '%.exe%' OR JobContent LIKE '%.bat%' OR JobContent LIKE '%javascript%' OR JobContent LIKE '%powershell%' OR JobContent LIKE '%wmic%' OR JobContent LIKE '%rundll32%' OR JobContent LIKE '%cmd%' OR JobContent LIKE '%cscript%' OR JobContent LIKE '%wscript%' OR JobContent LIKE '%regsvr32%' OR JobContent LIKE '%mshta%' OR JobContent LIKE '%bitsadmin%' OR JobContent LIKE '%certutil%' OR JobContent LIKE '%msiexec%' OR JobContent LIKE '%javaw%' OR JobContent LIKE '%[%]APPDATA[%]%' OR JobContent LIKE '%\AppData\Roaming%' OR JobContent LIKE '%[%]PUBLIC[%]%' OR JobContent LIKE '%C:\Users\Public%' OR JobContent LIKE '%[%]ProgramData[%]%' OR JobContent LIKE '%C:\ProgramData%' OR JobContent LIKE '%[%]TEMP[%]%' OR JobContent LIKE '%\AppData\Local\Temp%' OR JobContent LIKE '%\Windows\PLA\System%' OR JobContent LIKE '%\tasks%' OR JobContent LIKE '%\Registration\CRMLog%' OR JobContent LIKE '%\FxsTmp%' OR JobContent LIKE '%\spool\drivers\color%' OR JobContent LIKE '%\tracing%')
		.006	Systemd Timers	Suspicious systemd timers can also be identified by comparing results against a trusted system baseline. Malicious systemd timers may be detected by using the systemctl utility to examine system wide timers: systemctl list-timers –all. Analyze the contents of corresponding .service files present on the file system and ensure that they refer to legitimate, expected executables. Analytic 1 - Look for systemd timer creation events with unusual parameters. `sourcetype=linux_logs (command="systemctl start .timer" OR command="systemctl enable .timer" OR command="systemctl daemon-reload")`
		.007	Container Orchestration Job	Monitor for Kubernetes CronJob or Job creation using Kubernetes API or CLI commands. Note: This query tracks job creation using kubectl commands or Kubernetes API calls to create or apply CronJobs. It filters out legitimate job creation based on a baseline and identifies unusual CronJob creation or usage. Analytic 1 - Look for new container job creation events with unusual parameters. `sourcetype=kubernetes:job_creation (command="kubectl create cronjob" OR command="kubectl apply -f .yaml" OR api_call="BatchV1.CronJob.create")` Note: This query monitors Kubernetes events for job creation, start, and completion. These events are useful for tracking the actual execution of scheduled tasks in the cluster.Analytic 2 - Monitoring Kubernetes Events for Job Execution `sourcetype=kubernetes:event type="Normal" (reason="SuccessfulCreate" OR reason="Started" OR reason="Completed")`

Scheduled Job: Scheduled Job Metadata

Contextual data about a scheduled job, which may include information such as name, timing, command(s), etc.

Scheduled Job: Scheduled Job Metadata

Contextual data about a scheduled job, which may include information such as name, timing, command(s), etc.

Domain	ID	Name	Detects
Enterprise	T1036	Masquerading	Monitor for contextual data about a scheduled job, which may include information such as name, timing, command(s), etc. On Windows, Event ID 4698 (Security Log - A scheduled task was created) can be used to alert on the creation of scheduled tasks and provides metadata including the task name and task content (as XML). On Linux, auditing frameworks such as the Linux Auditing System (auditd) can be used to alert on invocations of cron, and provides the metadata included when executing the command.
		.004	Masquerade Task or Service	Monitor for contextual data about a scheduled job, which may include information such as name, timing, command(s), etc.

Domain

Name

Detects

Enterprise

T1036

Masquerading

Monitor for contextual data about a scheduled job, which may include information such as name, timing, command(s), etc.

On Windows, Event ID 4698 (Security Log - A scheduled task was created) can be used to alert on the creation of scheduled tasks and provides metadata including the task name and task content (as XML).

On Linux, auditing frameworks such as the Linux Auditing System (auditd) can be used to alert on invocations of cron, and provides the metadata included when executing the command.

.004

Masquerade Task or Service

Monitor for contextual data about a scheduled job, which may include information such as name, timing, command(s), etc.

Scheduled Job: Scheduled Job Modification

Changes made to a scheduled job, such as modifications to the execution launch (ex: Windows EID 4702 or /var/log cron logs)

Scheduled Job: Scheduled Job Modification

Changes made to a scheduled job, such as modifications to the execution launch (ex: Windows EID 4702 or /var/log cron logs)

Domain	ID		Name	Detects
Enterprise	T1070		Indicator Removal	Monitor for changes made to scheduled jobs that may attempt to remove artifacts on a host system.
		.009	Clear Persistence	Monitor for changes made to scheduled jobs that may attempt to remove artifacts on a host system.
Enterprise	T1036		Masquerading	Monitor for changes made to scheduled jobs that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.
		.004	Masquerade Task or Service	Monitor for changes made to scheduled jobs for unexpected modifications to execution launch
ICS	T0849		Masquerading	Monitor for changes made to scheduled jobs that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.

References

Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.