{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/manageengine-desktopcentral-agent/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","SentinelOne Cloud Funnel","Elastic Defend","CCleaner","ManageEngine UEMS Agent","ManageEngine DesktopCentral Agent"],"_cs_severities":["medium"],"_cs_tags":["persistence","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","ManageEngine","CCleaner","Elastic","SentinelOne"],"content_html":"\u003cp\u003eAdversaries may abuse scheduled tasks to maintain persistence on a compromised system. This involves creating or modifying scheduled tasks to execute malicious code at specific times or intervals. This activity can be used to ensure that the attacker\u0026rsquo;s code remains active even after a system restart or user logout. The detection rule identifies suspicious job creation by monitoring specific file paths and extensions, excluding known legitimate processes to flag potential abuse. The rule is designed for data generated by Elastic Defend, but also supports Microsoft Defender XDR, SentinelOne Cloud Funnel, and Sysmon.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to establish persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a script or program to create a new scheduled job within the \u003ccode\u003eC:\\Windows\\Tasks\\\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe scheduled job is configured to execute a malicious payload at a specified time or interval.\u003c/li\u003e\n\u003cli\u003eThe malicious payload could be a script (e.g., PowerShell) or an executable.\u003c/li\u003e\n\u003cli\u003eThe scheduled job executes, triggering the malicious payload.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access to the system.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious activities, such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to maintain a persistent presence on the compromised system. This allows them to execute malicious code, steal sensitive information, or perform other malicious activities over an extended period. The number of affected systems can vary depending on the scope of the initial compromise and the attacker\u0026rsquo;s objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 11 (File Create) logging to monitor file creation events on Windows systems.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious Scheduled Job Creation\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on scheduled jobs created in the \u003ccode\u003eC:\\Windows\\Tasks\\\u003c/code\u003e directory with a \u0026ldquo;.job\u0026rdquo; extension.\u003c/li\u003e\n\u003cli\u003eReview and update exclusion lists for known legitimate scheduled job creation processes (e.g., CCleaner, ManageEngine) to minimize false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"/briefs/2024-01-09-scheduled-job-persistence/","summary":"This detection rule identifies attempts to establish persistence on Windows systems by creating scheduled jobs in the Windows Tasks directory, excluding known legitimate jobs.","title":"Persistence via Scheduled Job Creation","url":"https://feed.craftedsignal.io/briefs/2024-01-09-scheduled-job-persistence/"}],"language":"en","title":"CraftedSignal Threat Feed — ManageEngine DesktopCentral Agent","version":"https://jsonfeed.org/version/1.1"}