PT Network Attack Discovery

Helps reconstruct the attack timeline and understand the sources and scale of threats

T1053: Scheduled Task/Job

Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.

Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges). Similar to System Binary Proxy Execution, adversaries have also abused task scheduling to potentially mask one-time execution under a trusted system process.

Positive Technologies products that cover the technique

Detection

PT NAD can detect creation or modification of scheduled tasks using detection rules and a special module of the activity stream.

Examples of PT NAD detection rules

  • ATTACK [PTsecurity] WMI Creating Scheduled Job (sid 10009190)
  • ATTACK [PTsecurity] SMB Remote task start via xml (sid 10003423)
  • ATTACK [PTsecurity] DCERPC Remote job add via TaskScheduler (sid 10005903)

PT NAD detection modules

  • Remote creation or modification of Windows Scheduler tasks

Detection

IDDS0003Data source and componentScheduled Job: Scheduled Job CreationDescription

Monitor newly constructed scheduled jobs that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.

On Windows systems, security event ID 4698 (A scheduled task was created) provides information on newly created scheduled tasks. It includes the TaskContent field, which contains an XML blob that captures key information on the scheduled task including the command to be executed.

Analytic 1 - Scheduled Task Execution

source="WinEventLog:Security" EventCode=“4698” | WHERE UserName LIKE "\SYSTEM*" AND (TaskContent LIKE suspicious_parameter OR TaskContent LIKE "powershell.exe")

IDDS0032Data source and componentContainer: Container CreationDescription

Monitor for newly constructed containers that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor for newly executed processes that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.

IDDS0022Data source and componentFile: File ModificationDescription

Monitor for changes made to files that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.

IDDS0022Data source and componentFile: File CreationDescription

Monitor newly constructed files that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.

Mitigation

IDM1018NameUser Account ManagementDescription

Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems.

IDM1028NameOperating System ConfigurationDescription

Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM. The associated Registry key is located at HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SubmitControl. The setting can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > Security Options: Domain Controller: Allow server operators to schedule tasks, set to disabled.

IDM1022NameRestrict File and Directory PermissionsDescription

Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.

IDM1026NamePrivileged Account ManagementDescription

Configure the Increase Scheduling Priority option to only allow the Administrators group the rights to schedule a priority process. This can be can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Increase scheduling priority.

IDM1047NameAuditDescription

Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges.