Analytics Story: Scheduled Tasks

Date: 2023-06-12 ID: 94cff925-d05c-40cf-b925-d6c5702a2399 Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

The MITRE ATT&CK technique T1053 refers to Scheduled Task/Job. Adversaries might use task scheduling utilities to execute programs or scripts at a predefined date and time. This method is often used for persistence but can also be used for privilege escalation or to execute tasks under certain conditions. Scheduling tasks can be beneficial for an attacker as it can allow them to execute actions at times when the system is less likely to be monitored actively. Different operating systems have different utilities for task scheduling, for example, Unix-like systems have Cron, while Windows has Scheduled Tasks and At Jobs.

Why it matters

MITRE ATT&CK technique T1053, labeled "Scheduled Task/Job", is a categorization of methods that adversaries use to execute malicious code by scheduling tasks or jobs on a system. This technique is widely utilized for persistence, privilege escalation, and the remote execution of tasks. The technique is applicable across various environments and platforms, including Windows, Linux, and macOS. The technique consists of multiple sub-techniques, each highlighting a distinct mechanism for scheduling tasks or jobs. These sub-techniques include T1053.001 (Scheduled Task), T1053.002 (At for Windows), T1053.003 (Cron), T1053.004 (Launchd), T1053.005 (At for Linux), and T1053.006 (Systemd Timers). Scheduled Task (T1053.001) focuses on adversaries' methods for scheduling tasks on a Windows system to maintain persistence or escalate privileges. These tasks can be set to execute at specified times, in response to particular events, or after a defined time interval. The At command for Windows (T1053.002) enables administrators to schedule tasks on a Windows system. Adversaries may exploit this command to execute programs at system startup or at a predetermined schedule for persistence. Cron (T1053.003) is a built-in job scheduler found in Unix-like operating systems. Adversaries can use cron jobs to execute programs at system startup or on a scheduled basis for persistence. Launchd (T1053.004) is a service management framework present in macOS. Adversaries may utilize launchd to maintain persistence on macOS systems by setting up daemons or agents to execute at specific times or in response to defined events. The At command for Linux (T1053.005) enables administrators to schedule tasks on a Linux system. Adversaries can use this command to execute programs at system startup or on a scheduled basis for persistence. Systemd Timers (T1053.006) offer a means of scheduling tasks on Linux systems using systemd. Adversaries can use systemd timers to execute programs at system startup or on a scheduled basis for persistence. Detection and mitigation strategies vary for each sub-technique. For instance, monitoring the creation of scheduled tasks or looking for uncorrelated changes to tasks that do not align with known software or patch cycles can be effective for detecting malicious activity related to this technique. Mitigation strategies may involve restricting permissions and applying application control solutions to prevent adversaries from scheduling tasks.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Linux Add Files In Known Crontab Directories Cron, Scheduled Task/Job Anomaly
Linux Adding Crontab Using List Parameter Cron, Scheduled Task/Job Hunting
Linux At Allow Config File Creation Cron, Scheduled Task/Job Anomaly
Linux At Application Execution At, Scheduled Task/Job Anomaly
Linux Auditd At Application Execution At, Scheduled Task/Job Anomaly
Linux Auditd Edit Cron Table Parameter Cron, Scheduled Task/Job TTP
Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File Cron, Scheduled Task/Job Hunting
Linux Auditd Service Restarted Systemd Timers, Scheduled Task/Job Anomaly
Linux Edit Cron Table Parameter Cron, Scheduled Task/Job Hunting
Linux Possible Append Command To At Allow Config File At, Scheduled Task/Job Anomaly
Linux Possible Append Cronjob Entry on Existing Cronjob File Cron, Scheduled Task/Job Hunting
Linux Possible Cronjob Modification With Editor Cron, Scheduled Task/Job Hunting
Linux Service File Created In Systemd Directory Systemd Timers, Scheduled Task/Job Anomaly
Linux Service Restarted Systemd Timers, Scheduled Task/Job Anomaly
Linux Service Started Or Enabled Systemd Timers, Scheduled Task/Job Anomaly
Possible Lateral Movement PowerShell Spawn Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShell, MMC TTP
Randomly Generated Scheduled Task Name Scheduled Task/Job, Scheduled Task Hunting
Schedule Task with HTTP Command Arguments Scheduled Task/Job TTP
Schedule Task with Rundll32 Command Trigger Scheduled Task/Job TTP
Scheduled Task Creation on Remote Endpoint using At Scheduled Task/Job, At TTP
Scheduled Task Deleted Or Created via CMD Scheduled Task, Scheduled Task/Job TTP
Scheduled Task Initiation on Remote Endpoint Scheduled Task/Job, Scheduled Task TTP
Schtasks Run Task On Demand Scheduled Task/Job TTP
Schtasks scheduling job on remote system Scheduled Task, Scheduled Task/Job TTP
Schtasks used for forcing a reboot Scheduled Task, Scheduled Task/Job TTP
Short Lived Scheduled Task Scheduled Task TTP
Suspicious Scheduled Task from Public Directory Scheduled Task, Scheduled Task/Job Anomaly
Svchost LOLBAS Execution Process Spawn Scheduled Task/Job, Scheduled Task TTP
Windows Enable Win32 ScheduledJob via Registry Scheduled Task Anomaly
Windows Hidden Schedule Task Settings Scheduled Task/Job TTP
Windows PowerShell ScheduleTask Scheduled Task, PowerShell, Command and Scripting Interpreter Anomaly
Windows Registry Delete Task SD Scheduled Task, Impair Defenses Anomaly
Windows Scheduled Task Created Via XML Scheduled Task, Scheduled Task/Job TTP
Windows Scheduled Task with Highest Privileges Scheduled Task/Job, Scheduled Task TTP
Windows Schtasks Create Run As System Scheduled Task, Scheduled Task/Job TTP
WinEvent Scheduled Task Created to Spawn Shell Scheduled Task, Scheduled Task/Job TTP
WinEvent Scheduled Task Created Within Public Path Scheduled Task, Scheduled Task/Job TTP
WinEvent Windows Task Scheduler Event Action Started Scheduled Task Hunting

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Linux Auditd Path Linux icon Linux linux:audit /var/log/audit/audit.log
Linux Auditd Proctitle Linux icon Linux linux:audit /var/log/audit/audit.log
Linux Auditd Syscall Linux icon Linux linux:audit /var/log/audit/audit.log
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon for Linux EventID 1 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Sysmon for Linux EventID 11 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4698 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4699 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log TaskScheduler 200 Windows icon Windows wineventlog WinEventLog:Microsoft-Windows-TaskScheduler/Operational

References

Source: GitHub | Version: 1