Scheduled Task Disablement via Schtasks.exe

Attackers, including malware such as IcedID, frequently disable scheduled tasks as a means of evading detection and maintaining persistence. This technique involves using the schtasks.exe utility with the /change and /disable parameters. By disabling scheduled tasks, adversaries can disrupt security applications, prevent routine system maintenance, and prolong their access to compromised systems. This activity allows attackers to operate undetected, disable critical security defenses, and further compromise the targeted host. The initial report surfaced on October 18, 2021, highlighting the use of this technique in conjunction with the IcedID malware leading to XingLocker ransomware deployment.

Attack Chain

1. Initial compromise of the host via an unspecified method (e.g., phishing, exploit).
2. The attacker gains initial access and executes code on the target system.
3. The attacker identifies scheduled tasks to disable, often targeting security applications or system maintenance tasks.
4. The attacker executes schtasks.exe with the /change parameter to modify the task configuration.
5. The attacker uses the /disable parameter with schtasks.exe to deactivate the targeted scheduled task. For example: schtasks /change /tn "Security Scan" /disable.
6. The disabled task no longer runs, allowing the attacker to bypass its functionality.
7. The attacker maintains persistence and evades detection by preventing security scans and updates.
8. The attacker proceeds with further malicious activities, such as data theft or ransomware deployment.

Impact

Successful disabling of scheduled tasks can lead to the compromise of critical security defenses. The IcedID malware, for example, has been observed using this technique as a precursor to XingLocker ransomware deployment. This can affect any organization relying on scheduled tasks for security and system maintenance, leading to potential data breaches, system instability, and financial losses. The number of victims can vary depending on the scope of the initial compromise and the effectiveness of the attacker’s lateral movement.

Recommendation

• Deploy the Sigma rule Detect Schtasks Disable to your SIEM and tune for your environment to detect schtasks.exe being used to disable tasks.
• Enable Sysmon process-creation logging (Event ID 1) and Windows Event Log Security (4688) to activate the Sigma rule.
• Investigate any alerts generated by the Sigma rule, prioritizing systems known to host critical applications or data.
• Review scheduled task configurations for unexpected changes or disabled tasks.
• Implement endpoint detection and response (EDR) solutions that provide visibility into process execution and command-line arguments.
• Ensure that all systems have up-to-date security patches and antivirus definitions to prevent initial compromise.