Scheduled Task (T1053.005)
Scheduled Task [T1053.005]
Last updated
Scheduled Task [T1053.005]
Last updated
Name: Scheduled Task
ID: T1053.005
Tactics: , ,
Technique:
Scheduled Task (T1053.005) is a sub-technique defined within the MITRE ATT&CK framework under the broader technique of Scheduled Task/Job (T1053). Attackers utilize scheduled tasks to execute malicious payloads or maintain persistence on compromised systems. Specifically, this sub-technique involves leveraging scheduled tasks within Windows environments, using built-in tools such as Task Scheduler (schtasks.exe) or Task Scheduler APIs to run malicious code at predetermined times or intervals. This approach allows adversaries to automate execution, evade detection, and maintain persistence over extended periods.
Scheduled tasks in Windows are managed by the Task Scheduler service, allowing users and administrators to automate processes. Attackers commonly exploit this legitimate functionality to execute malicious payloads and scripts.
Attackers typically use the following methods and mechanisms:
Built-in Windows tools:
schtasks.exe: Command-line utility used to create, modify, delete, query, run, and terminate scheduled tasks.
Task Scheduler GUI: Windows graphical interface allowing task creation and management.
PowerShell cmdlets: New-ScheduledTask, Register-ScheduledTask, and related cmdlets to automate task creation.
Windows Task Scheduler APIs: Programmatic access via COM interfaces for more advanced task creation and management.
Common tactics and procedures:
Creating tasks that execute malicious scripts or executables at system startup, logon, or specific intervals.
Configuring tasks to run with elevated privileges or under different user contexts to escalate privileges or evade detection.
Using tasks to periodically check and download additional payloads from command-and-control (C2) servers.
Modifying existing scheduled tasks to insert malicious commands or scripts, blending in with legitimate system operations.
Task storage locations:
Tasks are stored as XML files within %SystemRoot%\System32\Tasks\.
Registry keys under HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\ contain metadata about scheduled tasks.
Attackers commonly employ scheduled tasks at various stages of the cyberattack lifecycle, including:
Persistence:
Maintaining long-term access to compromised systems by repeatedly executing malicious code at regular intervals or on system reboot.
Ensuring continued access even after system reboots, user logoffs, or security software updates.
Privilege Escalation:
Exploiting scheduled tasks running with elevated privileges to escalate attacker privileges from standard user to administrator or SYSTEM-level rights.
Defense Evasion:
Using scheduled tasks to execute malicious payloads indirectly, bypassing detection tools that monitor direct file execution or suspicious process creations.
Leveraging legitimate scheduled tasks or modifying existing ones to blend malicious activities into normal system operations.
Execution and Command-and-Control (C2):
Regularly executing scripts or binaries that initiate C2 communications, download additional payloads, or exfiltrate data.
Automating periodic checks to attacker-controlled infrastructure.
Detection of malicious scheduled tasks involves monitoring and analyzing several key indicators and employing various detection methods, including:
Monitoring Scheduled Task Creation and Modification:
Monitoring Windows Event Logs, specifically:
Security logs (Event ID 4698 for task creation, Event ID 4702 for task modification).
Microsoft-Windows-TaskScheduler/Operational logs for detailed task activity.
Leveraging Endpoint Detection and Response (EDR) tools to detect suspicious task creation commands (schtasks.exe, PowerShell cmdlets).
Analyzing Task Scheduler XML Files and Registry Entries:
Regularly scanning %SystemRoot%\System32\Tasks\ for unusual or newly created task XML files.
Inspecting task XML files for suspicious commands, scripts, executables, or unusual triggers (e.g., frequent intervals, odd execution times).
Monitoring registry keys under HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\ for unauthorized modifications.
Behavioral Analysis and Anomaly Detection:
Detecting unusual task execution patterns, such as tasks running at odd hours, frequent intervals, or unexpected user contexts.
Identifying tasks executing binaries or scripts located in temporary directories, unusual system paths, or user profile folders.
Specific Indicators of Compromise (IoCs):
Suspicious command-line arguments or scripts embedded in task definitions.
Tasks running executables from uncommon or temporary directories (%TEMP%, %APPDATA%, %USERPROFILE%, etc.).
Tasks executing encoded PowerShell commands or scripts referencing external URLs or IP addresses.
Unexpected tasks created or modified by non-administrative users or unknown accounts.
Detecting malicious scheduled tasks is critical due to several potential impacts and risks:
Persistence and Long-term Compromise:
Scheduled tasks enable attackers to maintain persistent access, extending the duration and severity of compromise.
Early detection prevents attackers from re-establishing footholds after initial remediation efforts.
Privilege Escalation and System Compromise:
Tasks running with elevated privileges can allow attackers to escalate privileges, gaining administrative or SYSTEM-level rights.
Early detection prevents attackers from leveraging elevated privileges to further compromise systems or networks.
Defense Evasion and Detection Challenges:
Scheduled tasks can bypass traditional antivirus and endpoint detection solutions by leveraging legitimate system utilities and mechanisms.
Timely identification of malicious tasks reduces the risk of attackers evading detection and performing stealthy operations.
Data Exfiltration and Command-and-Control (C2):
Attackers often use scheduled tasks to automate data exfiltration or periodic C2 communications.
Early detection prevents sensitive data loss and disrupts attacker command-and-control channels.
Minimizing Damage and Incident Response Costs:
Early detection and remediation of malicious scheduled tasks significantly reduce the potential damage, operational disruption, and associated costs of incident response and recovery.
Real-world examples and attack scenarios involving Scheduled Task (T1053.005):
APT29 (Cozy Bear):
Used scheduled tasks to execute PowerShell scripts for persistence, lateral movement, and data exfiltration.
Tasks were configured to run malicious payloads at system startup or user logon, ensuring persistence and regular command-and-control communication.
FIN7:
Leveraged scheduled tasks to execute malicious JavaScript payloads and PowerShell scripts for persistence and data theft.
Tasks executed malicious scripts from temporary directories at frequent intervals, enabling continuous monitoring and data exfiltration from compromised systems.
TrickBot Malware:
Created scheduled tasks to execute malicious binaries and scripts, maintaining persistence and periodically downloading additional payloads.
Tasks were often configured to run at system startup or specific intervals, ensuring continuous malware execution and C2 communications.
Ryuk Ransomware:
Utilized scheduled tasks to automate ransomware execution and lateral movement across compromised networks.
Tasks executed ransomware payloads at predetermined times, maximizing impact and disrupting organizational operations.
Emotet Malware:
Scheduled tasks were used to execute malicious scripts and binaries, maintaining persistence and facilitating further malware deployment (e.g., TrickBot, Ryuk).
Tasks executed payloads from temporary or user profile directories, regularly communicating with attacker-controlled infrastructure.
In these examples, attackers leveraged scheduled tasks to ensure persistence, automate malicious activities, evade detection, and facilitate data exfiltration or ransomware deployment, highlighting the importance of thorough monitoring and timely detection.