Windows Persistence via Scheduled Job Creation
Adversaries can abuse the Windows Task Scheduler to establish persistence by creating malicious scheduled jobs, which are detected by monitoring for the creation of '.job' files in the 'Windows\Tasks' directory while excluding known legitimate software.
Attackers can establish persistence on Windows systems by creating or modifying scheduled tasks. This involves creating '.job' files within the C:\\Windows\\Tasks directory. Legitimate software installations and updates can also create scheduled tasks, leading to potential false positives. This activity is detected by monitoring file creation events with a focus on specific file paths and extensions associated with scheduled jobs. The rule excludes known legitimate processes such as CCleaner and ManageEngine to minimize false positives. Successful exploitation allows attackers to maintain long-term access to compromised systems, enabling them to execute malicious code at specified intervals without user interaction. This activity has been observed across various Windows environments and can lead to significant security breaches.
Attack Chain
- The attacker gains initial access to the target system through various means, such as exploiting a vulnerability or using stolen credentials.
- The attacker uses a command-line interface (e.g.,
cmd.exe,powershell.exe) to interact with the Task Scheduler. - The attacker crafts a malicious
.jobfile in theC:\\Windows\\Tasks\\directory using tools likeschtasks.exeor by directly writing the file. The file extension ".job" is a key identifier. - The scheduled task is configured to execute a malicious script or program (e.g., PowerShell script, executable file) at a specific time or event.
- The Task Scheduler service (
taskeng.exe) executes the scheduled task according to the defined schedule. - The malicious script or program performs actions such as downloading malware, executing commands, or establishing a reverse shell.
- The attacker maintains persistent access to the system as the scheduled task continues to execute at the specified intervals.
- The attacker can perform further malicious activities, such as data exfiltration, lateral movement, or deploying ransomware.
Impact
Successful exploitation leads to persistent access on the compromised system, enabling the attacker to execute arbitrary code at scheduled intervals without user interaction. This can result in data theft, system compromise, or further propagation of malware within the network. The impact can range from minor disruptions to significant financial losses and reputational damage, depending on the attacker's objectives and the sensitivity of the compromised data. The creation of persistent scheduled tasks is a common tactic used in various ransomware and data theft campaigns, affecting organizations across different sectors.
Recommendation
- Enable Sysmon file creation logging to monitor
.jobfile creation inC:\\Windows\\Tasks\\(reference:logs-windows.sysmon_operational-*). - Deploy the Sigma rule "Persistence via Scheduled Job Creation" to your SIEM and tune for your environment (reference: rule section).
- Review and update exclusion lists for legitimate scheduled jobs regularly to minimize false positives (reference: false positives analysis in content section).
- Implement enhanced monitoring and alerting for scheduled job creation activities across the network to detect similar threats in the future, leveraging the specific query fields used in the detection rule (reference: query in content section).
Detection coverage 2
Persistence via Scheduled Job Creation
mediumDetects the creation of scheduled job files (.job) in the Windows Tasks directory, excluding known false positives.
Detect Scheduled Task Creation via Schtasks.exe
mediumDetects the creation of scheduled tasks using the schtasks.exe command-line utility, a common method for establishing persistence.
Detection queries are available on the platform. Get full rules →