Scheduled Job

Automated tasks that can be executed at a specific time or on a recurring schedule running in the background (ex: Cron daemon, task scheduler, BITS)[1]

ID: DS0003
Platforms: Containers, Linux, Windows, macOS
Collection Layers: Container, Host
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.0
Created: 20 October 2021
Last Modified: 30 March 2022

Data Components

Scheduled Job: Scheduled Job Creation

Initial construction of a new scheduled job (ex: Windows EID 4698 or /var/log cron logs)

Scheduled Job: Scheduled Job Creation

Initial construction of a new scheduled job (ex: Windows EID 4698 or /var/log cron logs)

Domain ID Name Detects
ICS T0849 Masquerading

Monitor for newly constructed scheduled jobs that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.

Enterprise T1053 Scheduled Task/Job

Monitor newly constructed scheduled jobs that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.

.002 At

Monitor for newly constructed scheduled jobs. If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. On Windows, enable the "Microsoft-Windows-TaskScheduler/Operational" setting within the event logging service where several events will then be logged on scheduled task activity, including:[2]

  • Event ID 106 on Windows 7, Server 2008 R2 - Scheduled task registered
  • Event ID 4698 on Windows 10, Server 2016 - Scheduled task created
  • Event ID 4700 on Windows 10, Server 2016 - Scheduled task enabled
  • Event ID 4701 on Windows 10, Server 2016 - Scheduled task disabled

Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. [3]

.003 Cron

Monitor for newly constructed scheduled jobs. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc.

.005 Scheduled Task

Monitor for newly constructed scheduled jobs by enabling the "Microsoft-Windows-TaskScheduler/Operational" setting within the event logging service. [2] Several events will then be logged on scheduled task activity, including: Event ID 106 on Windows 7, Server 2008 R2 - Scheduled task registered; Event ID 4698 on Windows 10, Server 2016 - Scheduled task created;Event ID 4700 on Windows 10, Server 2016 - Scheduled task enabled;Event ID 4701 on Windows 10, Server 2016 - Scheduled task disabled

.006 Systemd Timers

Suspicious systemd timers can also be identified by comparing results against a trusted system baseline. Malicious systemd timers may be detected by using the systemctl utility to examine system wide timers: systemctl list-timers –all. Analyze the contents of corresponding .service files present on the file system and ensure that they refer to legitimate, expected executables.

.007 Container Orchestration Job

Monitor for the anomalous creation of scheduled jobs in container orchestration environments.

Scheduled Job: Scheduled Job Metadata

Contextual data about a scheduled job, which may include information such as name, timing, command(s), etc.

Scheduled Job: Scheduled Job Metadata

Contextual data about a scheduled job, which may include information such as name, timing, command(s), etc.

Domain ID Name Detects
Enterprise T1036 Masquerading

Monitor for contextual data about a scheduled job, which may include information such as name, timing, command(s), etc.

.004 Masquerade Task or Service

Monitor for contextual data about a scheduled job, which may include information such as name, timing, command(s), etc.

Scheduled Job: Scheduled Job Modification

Changes made to a scheduled job, such as modifications to the execution launch (ex: Windows EID 4702 or /var/log cron logs)

Scheduled Job: Scheduled Job Modification

Changes made to a scheduled job, such as modifications to the execution launch (ex: Windows EID 4702 or /var/log cron logs)

Domain ID Name Detects
Enterprise T1070 Indicator Removal

Monitor for changes made to scheduled jobs that may attempt to remove artifacts on a host system.

.009 Clear Persistence

Monitor for changes made to scheduled jobs that may attempt to remove artifacts on a host system.

Enterprise T1036 Masquerading

Monitor for changes made to scheduled jobs that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.

.004 Masquerade Task or Service

Monitor for changes made to scheduled jobs for unexpected modifications to execution launch

ICS T0849 Masquerading

Monitor for changes made to scheduled jobs that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.

References