Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

Scheduled Task

Utilities such as at and schtasks, along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on. Scheduling a task on a remote system typically required being a member of the Administrators group on the the remote system. [1]

An adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote Execution as part of Lateral Movement, to gain SYSTEM privileges, or to run a process under the context of a specified account.

ID: T1053

Tactic: Execution, Persistence, Privilege Escalation

Platform:  Windows

Permissions Required:  Administrator, SYSTEM, User

Effective Permissions:  SYSTEM, Administrator, User

Data Sources:  File monitoring, Process monitoring, Process command-line parameters, Windows event logs

Supports Remote:  Yes

CAPEC ID:  CAPEC-557

Contributors:  Leo Loobeek, @leoloobeek, Travis Smith, Tripwire, Alain Homewood, Insomnia Security

Version: 1.0

Examples

NameDescription
APT18

APT18 actors used the native at Windows task scheduler tool to use scheduled tasks for execution on a victim network.[2]

APT29

APT29 used named and hijacked scheduled tasks to establish persistence.[3]

APT3

An APT3 downloader creates persistence by creating the following scheduled task: schtasks /create /tn "mysc" /tr C:\Users\Public\test.exe /sc ONLOGON /ru "System".[4]

APT32

APT32 has used scheduled tasks to persist on victim systems.[5]

at

at can be used to schedule a task on a system.[6]

BADNEWS

BADNEWS creates a scheduled task to establish by executing a malicious payload every subsequent minute.[7]

BRONZE BUTLER

BRONZE BUTLER has used at and schtasks to register a scheduled task to execute malware during lateral movement.[8]

Cobalt Group

Cobalt Group has created Windows tasks to establish persistence.[9]

CosmicDuke

CosmicDuke uses scheduled tasks typically named "Watchmon Service" for persistence.[10]

CozyCar

One persistence mechanism used by CozyCar is to register itself as a scheduled task.[11]

Dragonfly 2.0

Dragonfly 2.0 used scheduled tasks to automatically log out of created accounts every 8 hours as well as to execute malicious files.[12][13]

Duqu

Adversaries can instruct Duqu to spread laterally by copying itself to shares it has enumerated and for which it has obtained legitimate credentials (via keylogging or other means). The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware.[14]

FIN10

FIN10 has established persistence by using S4U tasks as well as the Scheduled Task option in PowerShell Empire.[15][16]

FIN6

FIN6 has used scheduled tasks to establish persistence for various malware it uses, including downloaders known as HARDTACK and SHIPBREAD and PoS malware known as TRINITY.[17]

FIN7

FIN7 malware has created scheduled tasks to establish persistence.[18][19][20]

FIN8

FIN8 has used scheduled tasks to maintain RDP backdoors.[21]

Gazer

Gazer can establish persistence by creating a scheduled task.[22][23]

GravityRAT

GravityRAT creates a scheduled task to ensure it is re-executed everyday.[24]

Helminth

Helminth has used a scheduled task for persistence.[25]

ISMInjector

ISMInjector creates scheduled tasks to establish persistence.[26]

JHUHUGIT

JHUHUGIT has registered itself as a scheduled task to run each time the current user logs in.[27][28]

Matroyshka

Matroyshka can establish persistence by adding a Scheduled Task named "Microsoft Boost Kernel Optimization".[29][30]

menuPass

menuPass has used a script (atexec.py) to execute a command on a target machine via Task Scheduler.[31]

MURKYTOP

has the capability to schedule remote AT jobs.[32]

OilRig

OilRig has created scheduled tasks that run a VBScript to execute a payload on victim machines.[33][34]

OopsIE

OopsIE creates a scheduled task to run itself every three minutes.[33][35]

Patchwork

A Patchwork file stealer can run a TaskScheduler DLL to add persistence.[36]

PowerSploit

PowerSploit's New-UserPersistenceOption Persistence argument can be used to establish via a Scheduled Task.[37][38]

POWRUNER

POWRUNER persists through a scheduled task that executes it every minute.[39]

Pteranodon

Pteranodon schedules tasks to invoke its components in order to establish persistence.[40]

QUADAGENT

QUADAGENT creates a scheduled task to maintain persistence on the victim’s machine.[34]

QuasarRAT

QuasarRAT contains a .NET wrapper DLL for creating and managing scheduled tasks for maintaining persistence upon reboot.[41]

Rancor

Rancor launched a scheduled task to gain persistence using the schtasks /create /sc command.[42]

RemoteCMD

RemoteCMD can execute commands remotely by creating a new schedule task on the remote system[43]

Remsec

Remsec schedules the execution one of its modules by creating a new scheduler task.[44]

RTM

RTM tries to add a scheduled task to establish persistence.[45]

schtasks

schtasks is used to schedule tasks on a Windows system to run at a specific date and time.[46]

Shamoon

Shamoon copies an executable payload to the target system by using Windows Admin Shares and then scheduling an unnamed task to execute the malware.[47][48]

Smoke Loader

Smoke Loader launches a scheduled task.[49]

Stealth Falcon

Stealth Falcon malware creates a scheduled task entitled "IE Web Cache" to execute a malicious file hourly.[50]

Threat Group-3390

Threat Group-3390 actors use at to schedule tasks to run self-extracting RAR archives, which install HTTPBrowser or PlugX on other victims on a network.[51]

TrickBot

TrickBot creates a scheduled task on the system that provides persistence.[52][53][54]

yty

yty establishes persistence by creating a scheduled task with the command SchTasks /Create /SC DAILY /TN BigData /TR " + path_file + "/ST 09:30".[55]

Mitigation

Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges. [56]

Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM. The associated Registry key is located at HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SubmitControl. The setting can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > Security Options: Domain Controller: Allow server operators to schedule tasks, set to disabled. [57]

Configure the Increase Scheduling Priority option to only allow the Administrators group the rights to schedule a priority process. This can be can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Increase scheduling priority. [58]

Identify and block unnecessary system utilities or potentially malicious software that may be used to schedule tasks using whitelisting [59] tools, like AppLocker, [60] [61] or Software Restriction Policies [62] where appropriate. [63]

Detection

Monitor scheduled task creation from common utilities using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Monitor process execution from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. [64] If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in %systemroot%\System32\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.

Configure event logging for scheduled task creation and changes by enabling the "Microsoft-Windows-TaskScheduler/Operational" setting within the event logging service. [65] Several events will then be logged on scheduled task activity, including: [66]

  • Event ID 106 - Scheduled task registered
  • Event ID 140 - Scheduled task updated
  • Event ID 141 - Scheduled task removed

Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. [67] Look for changes to tasks that do not correlate with known software, patch cycles, etc. Suspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data.

Monitor processes and command-line arguments for actions that could be taken to create tasks. Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data.

References

  1. Microsoft. (2005, January 21). Task Scheduler and security. Retrieved June 8, 2016.
  2. Carvey, H.. (2014, September 2). Where you AT?: Indicators of lateral movement using at.exe on Windows 7 systems. Retrieved January 25, 2016.
  3. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.
  4. Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016.
  5. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  6. Microsoft. (n.d.). At. Retrieved April 28, 2016.
  7. Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.
  8. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  9. Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018.
  10. F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.
  11. F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
  12. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  13. US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
  14. Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
  15. FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017.
  16. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  17. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.
  18. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
  19. Gorelik, M.. (2017, June 9). FIN7 Takes Another Bite at the Restaurant Industry. Retrieved July 13, 2017.
  20. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.
  21. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  22. ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
  23. Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.
  24. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.
  25. ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017.
  26. Falcone, R. and Lee, B. (2017, October 9). OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan. Retrieved January 8, 2018.
  27. ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
  28. ESET Research. (2015, July 10). Sednit APT Group Meets Hacking Team. Retrieved March 1, 2017.
  29. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  30. Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017.
  31. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  32. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  33. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  34. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
  1. Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.
  2. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  3. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
  4. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
  5. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  6. Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  7. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
  8. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  9. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
  10. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  11. Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  12. Microsoft. (n.d.). Schtasks. Retrieved April 28, 2016.
  13. FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved January 11, 2017.
  14. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
  15. Baker, B., Unterbrink H. (2018, July 03). Smoking Guns - Smoke Loader learned new tricks. Retrieved July 5, 2018.
  16. Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.
  17. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  18. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
  19. Antazo, F. (2016, October 31). TSPY_TRICKLOAD.N. Retrieved September 14, 2018.
  20. Pornasdoro, A. (2017, October 12). Trojan:Win32/Totbrick. Retrieved September 14, 2018.
  21. Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.
  22. PowerSploit. (n.d.). Retrieved December 4, 2014.
  23. Microsoft. (2012, November 15). Domain controller: Allow server operators to schedule tasks. Retrieved December 18, 2017.
  24. Microsoft. (2013, May 8). Increase scheduling priority. Retrieved December 18, 2017.
  25. Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
  26. Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
  27. NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
  28. Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
  29. Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.
  30. Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved December 12, 2017.
  31. Satyajit321. (2015, November 3). Scheduled Tasks History Retention settings. Retrieved December 12, 2017.
  32. Microsoft. (n.d.). General Task Registration. Retrieved December 12, 2017.
  33. Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.