{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/scheduled-task/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Defender XDR","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["uac-bypass","privilege-escalation","windows","diskcleanup","scheduled-task"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThis rule identifies User Account Control (UAC) bypass attempts via hijacking the DiskCleanup Scheduled Task. Attackers exploit this method to execute code with elevated privileges, bypassing standard security controls. The technique involves leveraging the \u003ccode\u003ecleanmgr.exe\u003c/code\u003e or \u003ccode\u003etaskhostw.exe\u003c/code\u003e executables with specific arguments (\u003ccode\u003e/autoclean\u003c/code\u003e and \u003ccode\u003e/d\u003c/code\u003e) outside of their expected paths. This allows attackers to run malicious code under the guise of a legitimate system process, making detection more challenging. This technique is used to gain elevated privileges on a compromised system, allowing for further malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system (e.g., via phishing or exploiting a software vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker modifies or creates a scheduled task to execute \u003ccode\u003ecleanmgr.exe\u003c/code\u003e or \u003ccode\u003etaskhostw.exe\u003c/code\u003e with the \u003ccode\u003e/autoclean\u003c/code\u003e and \u003ccode\u003e/d\u003c/code\u003e arguments.\u003c/li\u003e\n\u003cli\u003eThe modified scheduled task is triggered, executing the specified executable with the supplied arguments.\u003c/li\u003e\n\u003cli\u003eThe executable, such as \u003ccode\u003ecleanmgr.exe\u003c/code\u003e, attempts to run Disk Cleanup.\u003c/li\u003e\n\u003cli\u003eIf the executable path is outside the standard locations (e.g., \u003ccode\u003eC:\\\\Windows\\\\System32\u003c/code\u003e or \u003ccode\u003eC:\\\\Windows\\\\SysWOW64\u003c/code\u003e), it indicates a potential hijack.\u003c/li\u003e\n\u003cli\u003eMalicious code is executed with elevated privileges due to the UAC bypass.\u003c/li\u003e\n\u003cli\u003eThe attacker uses these elevated privileges to install malware, modify system settings, or perform other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass User Account Control (UAC) and execute code with elevated privileges. This can lead to the installation of malware, modification of system settings, data theft, and other malicious activities. While the exact number of victims is unknown, this technique is effective on systems where UAC is enabled but misconfigured or vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;UAC Bypass via DiskCleanup with Suspicious Path\u0026rdquo; to your SIEM and tune for your environment to detect UAC bypass attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;UAC Bypass via DiskCleanup and Taskhostw\u0026rdquo; to your SIEM to detect UAC bypass attempts.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003ecleanmgr.exe\u003c/code\u003e and \u003ccode\u003etaskhostw.exe\u003c/code\u003e with the \u003ccode\u003e/autoclean\u003c/code\u003e and \u003ccode\u003e/d\u003c/code\u003e arguments, focusing on executions outside the standard system directories.\u003c/li\u003e\n\u003cli\u003eReview and harden scheduled tasks to prevent unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eEnsure that UAC settings are properly configured and enforced across the organization.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T12:00:00Z","date_published":"2024-01-04T12:00:00Z","id":"/briefs/2024-01-uac-bypass-diskcleanup/","summary":"Attackers bypass User Account Control (UAC) by hijacking the DiskCleanup Scheduled Task to stealthily execute code with elevated permissions on Windows systems.","title":"UAC Bypass via DiskCleanup Scheduled Task Hijack","url":"https://feed.craftedsignal.io/briefs/2024-01-uac-bypass-diskcleanup/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["low"],"_cs_tags":["persistence","scheduled-task","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies first-time modifications to scheduled tasks by non-system users on Windows systems. Adversaries frequently abuse scheduled tasks to achieve persistence by modifying existing tasks or creating new ones that execute malicious code at recurring intervals. This rule focuses on detecting unauthorized changes to existing tasks by filtering out known system accounts (SYSTEM, Local Service, Network Service) and machine accounts, thereby highlighting potentially suspicious user activity. The rule leverages Windows Security Event Logs (event code 4702) to monitor task modifications. The goal is to aid in the early detection of threats where attackers are attempting to establish persistence on a compromised system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing scheduled tasks on the system using tools like \u003ccode\u003eschtasks.exe\u003c/code\u003e or PowerShell cmdlets.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a suitable scheduled task to modify for persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the task\u0026rsquo;s settings, such as the trigger time, the executable to run, or the arguments passed to the executable. This modification is logged as event ID 4702.\u003c/li\u003e\n\u003cli\u003eThe scheduled task is updated using \u003ccode\u003eschtasks.exe /change\u003c/code\u003e or PowerShell\u0026rsquo;s \u003ccode\u003eSet-ScheduledTask\u003c/code\u003e cmdlet.\u003c/li\u003e\n\u003cli\u003eThe modified scheduled task executes at the specified time, launching the attacker\u0026rsquo;s malicious payload.\u003c/li\u003e\n\u003cli\u003eThe malicious payload establishes a reverse shell to the attacker\u0026rsquo;s command and control (C2) server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the reverse shell to perform further actions on the compromised system, such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack involving the modification of scheduled tasks can lead to persistent access to a compromised system. The attacker can use this access to steal sensitive data, install malware, or perform other malicious activities. While this rule is low severity, it can uncover attackers attempting to persist in a network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit Other Object Access Events\u0026rdquo; to generate the required Windows Security Event Logs (event ID 4702) as described in the setup instructions.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to your SIEM to detect unusual scheduled task updates.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule to determine if the scheduled task modification is legitimate or malicious.\u003c/li\u003e\n\u003cli\u003eReview the references provided to understand the underlying event IDs and attacker techniques related to scheduled tasks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-unusual-scheduled-task-update/","summary":"This rule detects modifications to scheduled tasks by user accounts, excluding system activity and machine accounts, which adversaries can exploit for persistence by modifying them to execute malicious code.","title":"Unusual Scheduled Task Update","url":"https://feed.craftedsignal.io/briefs/2024-01-unusual-scheduled-task-update/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["schtasks","scheduled-task","persistence","execution"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis analytic detects the execution of Windows Scheduled Tasks on demand using the \u003ccode\u003eschtasks.exe\u003c/code\u003e utility. The detection focuses on identifying \u003ccode\u003eschtasks.exe\u003c/code\u003e being executed with the \u003ccode\u003erun\u003c/code\u003e command, which is often used by adversaries to force the execution of previously created scheduled tasks. This activity is significant because attackers frequently leverage scheduled tasks for persistent access, privilege escalation, or lateral movement within a compromised network. Detecting this behavior can help defenders identify and respond to malicious activity before it leads to further compromise. The technique has been associated with various threat actors and malware families including Qakbot, XMRig, and Medusa Ransomware as well as campaigns such as CISA AA22-257A and Industroyer2.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through various means (e.g., exploiting a vulnerability, phishing).\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by creating a new scheduled task using \u003ccode\u003eschtasks.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003eschtasks.exe\u003c/code\u003e with the \u003ccode\u003erun\u003c/code\u003e command to trigger the malicious scheduled task on demand.\u003c/li\u003e\n\u003cli\u003eThe scheduled task executes a malicious payload, such as a script or executable.\u003c/li\u003e\n\u003cli\u003eThe payload may perform various malicious actions, such as downloading additional malware, escalating privileges, or gathering sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other systems on the network by creating and running scheduled tasks remotely.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to disable security controls or evade detection by modifying existing scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration, ransomware deployment, or system disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to persistent access, lateral movement, and privilege escalation within the compromised environment. Attackers can use this technique to maintain a foothold on the system, spread malware to other systems on the network, and ultimately achieve their objectives, such as data theft, ransomware deployment, or disruption of critical services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect the execution of \u003ccode\u003eschtasks.exe\u003c/code\u003e with the \u003ccode\u003erun\u003c/code\u003e command, tuning it to exclude known legitimate uses.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of \u003ccode\u003eschtasks.exe\u003c/code\u003e execution with the \u003ccode\u003erun\u003c/code\u003e command to determine if they are malicious.\u003c/li\u003e\n\u003cli\u003eMonitor process execution data for unusual or unexpected processes being launched by scheduled tasks.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and regularly review and audit scheduled tasks to prevent unauthorized modifications or creations.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging (Event ID 1) to capture detailed information about process executions, including command-line arguments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-schtasks-on-demand/","summary":"Detection of on-demand execution of Windows Scheduled Tasks via the schtasks.exe command-line utility, a common technique for persistence and lateral movement.","title":"Schtasks Run Task On Demand","url":"https://feed.craftedsignal.io/briefs/2024-01-03-schtasks-on-demand/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["persistence","scheduled-task","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eThis rule detects the creation of scheduled tasks by Windows scripting engines, a tactic commonly employed by adversaries to establish persistence on compromised systems. The activity involves monitoring registry changes related to scheduled task actions and correlating them with script execution. Specifically, it looks for instances where cscript.exe, wscript.exe, powershell.exe, pwsh.exe or powershell_ise.exe are used to create or modify scheduled tasks. This behavior can be indicative of malicious activity, as legitimate software installations should not typically involve scripting engines directly creating scheduled tasks. Defenders should investigate any instances of this behavior to determine if it is malicious. The rule focuses on Windows environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through various means (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a script (e.g., PowerShell, VBScript) on the target system.\u003c/li\u003e\n\u003cli\u003eThe script interacts with the \u003ccode\u003etaskschd.dll\u003c/code\u003e library to create or modify a scheduled task.\u003c/li\u003e\n\u003cli\u003eThe script modifies the registry key \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\\Actions\u003c/code\u003e or \u003ccode\u003e\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\\Actions\u003c/code\u003e to define the actions performed by the scheduled task.\u003c/li\u003e\n\u003cli\u003eThe scheduled task is configured to execute a malicious payload at a specific time or event.\u003c/li\u003e\n\u003cli\u003eThe scheduled task executes, providing the attacker with persistent access to the system.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the persistent access to perform further malicious activities, such as lateral movement or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to persistence on the compromised system, allowing attackers to maintain access even after reboots or user logoffs. This can facilitate long-term data theft, deployment of ransomware, or further compromise of the network. The impact depends on the privileges of the account under which the scheduled task runs, potentially granting SYSTEM level access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon ImageLoad events (Event ID 7) to detect when \u003ccode\u003etaskschd.dll\u003c/code\u003e is loaded by scripting engines (powershell.exe, cscript.exe, wscript.exe) as described in the \u003ca href=\"https://ela.st/sysmon-event-7-setup\"\u003eSysmon Event ID 7 setup guide\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Registry Events to monitor changes to the registry paths associated with scheduled task actions as described in the \u003ca href=\"https://ela.st/sysmon-event-reg-setup\"\u003eSysmon Registry Events setup guide\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect scheduled task creation by scripting engines and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules, focusing on the specific scripts and scheduled tasks involved.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-scheduled-task-scripting/","summary":"Detection of scheduled task creation by Windows scripting engines like cscript.exe, wscript.exe, or powershell.exe, used by adversaries to establish persistence on compromised systems.","title":"Scheduled Task Creation via Scripting","url":"https://feed.craftedsignal.io/briefs/2024-01-03-scheduled-task-scripting/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["group-policy","scheduled-task","privilege-escalation","lateral-movement"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAttackers can abuse Group Policy Objects (GPOs) to execute scheduled tasks at scale, compromising objects controlled by a given GPO. This involves modifying the contents of the \u003ccode\u003e\u0026lt;GPOPath\u0026gt;\\\\Machine\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml\u003c/code\u003e file. By altering the XML file to include malicious commands, attackers can achieve privilege escalation or lateral movement within the domain. This technique leverages a legitimate Active Directory mechanism, making it essential to differentiate between authorized administrative actions and malicious activities. The modification can be identified through changes to \u003ccode\u003egPCMachineExtensionNames\u003c/code\u003e or \u003ccode\u003egPCUserExtensionNames\u003c/code\u003e attributes within Active Directory.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to a system with permissions to modify GPOs.\u003c/li\u003e\n\u003cli\u003eAttacker modifies the \u003ccode\u003eScheduledTasks.xml\u003c/code\u003e file within the SYSVOL share of a targeted GPO (\u003ccode\u003e\\\\\\\\*\\\\SYSVOL\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker changes the contents of the XML file to include a malicious \u003ccode\u003e\u0026lt;Command\u0026gt;\u003c/code\u003e and \u003ccode\u003e\u0026lt;Arguments\u0026gt;\u003c/code\u003e tag.\u003c/li\u003e\n\u003cli\u003eThe modified GPO is replicated to domain controllers.\u003c/li\u003e\n\u003cli\u003eTarget systems receive the updated GPO during regular group policy refresh cycles.\u003c/li\u003e\n\u003cli\u003eThe scheduled task defined in the modified \u003ccode\u003eScheduledTasks.xml\u003c/code\u003e is executed on the target systems.\u003c/li\u003e\n\u003cli\u003eThe malicious command executes, potentially escalating privileges or facilitating lateral movement.\u003c/li\u003e\n\u003cli\u003eAttacker achieves desired objective, such as installing malware, creating new accounts, or exfiltrating data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code on systems managed by the modified GPO. The scope of impact depends on the targeted GPO and the permissions of the scheduled task. This can lead to widespread compromise, affecting numerous systems and users within the domain. The modification of GPOs can be difficult to detect without proper monitoring, potentially allowing attackers to maintain persistence and control over the environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and monitor Windows audit policies for \u0026ldquo;Audit Directory Service Changes\u0026rdquo; and \u0026ldquo;Audit Detailed File Share\u0026rdquo; to detect modifications to GPOs and file share access, as outlined in the \u003ca href=\"#setup\"\u003esetup\u003c/a\u003e section.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Scheduled Task Execution via GPO Attribute Modification\u0026rdquo; to detect modifications to the \u003ccode\u003egPCMachineExtensionNames\u003c/code\u003e or \u003ccode\u003egPCUserExtensionNames\u003c/code\u003e attributes (rule: \u003ccode\u003eScheduled Task Execution via GPO Attribute Modification\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Scheduled Task XML File Modification in SYSVOL\u0026rdquo; to detect modifications to the ScheduledTasks.xml file in SYSVOL shares (rule: \u003ccode\u003eScheduled Task XML File Modification in SYSVOL\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eReview and validate any changes to GPOs, specifically those related to scheduled tasks, to ensure they are authorized and legitimate.\u003c/li\u003e\n\u003cli\u003eMonitor for the execution of unexpected or malicious commands originating from scheduled tasks created or modified via GPOs.\u003c/li\u003e\n\u003cli\u003eRegularly audit and review GPO configurations to identify any potential weaknesses or misconfigurations that could be exploited.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-gpo-scheduled-task-abuse/","summary":"Attackers abuse Group Policy Objects by modifying scheduled task attributes to execute malicious commands across objects controlled by the GPO, potentially leading to privilege escalation and lateral movement.","title":"GPO Scheduled Task Abuse for Privilege Escalation and Lateral Movement","url":"https://feed.craftedsignal.io/briefs/2024-01-gpo-scheduled-task-abuse/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Windows","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","execution","windows","scheduled-task"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies remote scheduled task creations on a target host, which can be indicative of lateral movement. Adversaries often leverage scheduled tasks to execute malicious commands, maintain persistence, or escalate privileges. This technique is particularly effective as it uses native Windows functionality, making it harder to distinguish from legitimate administrative actions. This rule is designed for data generated by Elastic Defend and also supports third-party data sources such as SentinelOne Cloud Funnel and Sysmon. Understanding when and how scheduled tasks are created remotely is crucial for detecting and responding to potential intrusions. The rule focuses on network connections from svchost.exe and registry modifications related to task actions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system to scan the network for potential targets.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to authenticate to a target Windows host using stolen credentials or by exploiting a vulnerability in a network service.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a network connection to the target host\u0026rsquo;s Task Scheduler service, typically using ports in the dynamic port range (49152+). This connection originates from svchost.exe.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new scheduled task on the target system using the Task Scheduler service.\u003c/li\u003e\n\u003cli\u003eThis creation involves modifying the registry key \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{TaskID}\\Actions\u003c/code\u003e to define the task\u0026rsquo;s actions. The \u0026lsquo;Actions\u0026rsquo; value is often base64 encoded.\u003c/li\u003e\n\u003cli\u003eThe scheduled task executes a malicious payload, granting the attacker further access or control over the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly gained access for lateral movement, data exfiltration, or other malicious objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive systems, data breaches, and further lateral movement within the network. The rule is designed to catch this activity, reducing the dwell time of attackers and minimizing potential damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM and tune for your environment to detect malicious scheduled task creation.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 3 (Network Connection) and Sysmon Registry Events to enhance visibility into network connections and registry modifications (see Setup instructions).\u003c/li\u003e\n\u003cli\u003eReview the base64 encoded tasks actions registry value to investigate the task configured action (see rule description).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the scheduled task creation and the intent behind the configured action.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-remote-scheduled-task-creation/","summary":"This rule identifies remote scheduled task creations on a target Windows host, potentially indicating lateral movement by adversaries, by monitoring network connections and registry modifications related to task scheduling.","title":"Detecting Remote Scheduled Task Creation for Lateral Movement","url":"https://feed.craftedsignal.io/briefs/2024-01-remote-scheduled-task-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["OneDrive","Visual Studio","Office","Firefox","Windows","HP Support Assistant"],"_cs_severities":["low"],"_cs_tags":["persistence","scheduled-task","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Hewlett-Packard","Mozilla","Google"],"content_html":"\u003cp\u003eAdversaries frequently leverage scheduled tasks in Windows to maintain persistence, elevate privileges, or facilitate lateral movement within a compromised network. This technique involves creating or modifying scheduled tasks to execute malicious code at specific times or intervals. The detection rule focuses on identifying the creation of new scheduled tasks logged in Windows event logs, filtering out tasks created by system accounts and those associated with legitimate software to minimize false positives. This detection is crucial because successful exploitation allows attackers to execute arbitrary commands or programs on a recurring basis, maintaining a foothold even after system reboots or user logoffs. Defenders need to monitor for anomalous task creation events to identify potential malicious activity. The rule references Microsoft Event ID 4698 as a key data source for detecting scheduled task creation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains initial access to the system through phishing, exploiting a vulnerability, or using compromised credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (if needed):\u003c/strong\u003e The attacker escalates privileges using exploits or by abusing misconfigurations to gain the necessary permissions to create scheduled tasks.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTask Creation:\u003c/strong\u003e The attacker creates a new scheduled task using tools like \u003ccode\u003eschtasks.exe\u003c/code\u003e or PowerShell.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eConfiguration:\u003c/strong\u003e The attacker configures the task to execute a malicious script or program at a specific time or event trigger.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The scheduled task is configured to run at regular intervals or upon system startup, ensuring persistent access to the compromised system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution:\u003c/strong\u003e When the scheduled task triggers, the malicious payload executes, performing actions such as installing malware, stealing data, or establishing a command and control connection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (optional):\u003c/strong\u003e The attacker uses the compromised system and scheduled task to move laterally to other systems on the network, repeating the task creation process.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via scheduled task creation can lead to persistent access within the compromised environment. The attacker can maintain a foothold even after system restarts, enabling them to perform data exfiltration, deploy ransomware, or cause other disruptive activities. While the risk score is relatively low, the potential for persistence makes this a critical area to monitor, especially in environments where lateral movement is a significant concern. The number of affected systems depends on the scope of the initial compromise and the attacker\u0026rsquo;s ability to move laterally.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit Other Object Access Events\u0026rdquo; to generate the necessary Windows Security Event Logs for detecting scheduled task creation (reference: setup instructions in the original rule).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect suspicious scheduled task creation events, and tune the rules by adding exclusions for known benign tasks in your environment.\u003c/li\u003e\n\u003cli\u003eReview the investigation steps outlined in the rule\u0026rsquo;s notes to triage alerts related to scheduled task creation, focusing on unfamiliar task names, unusual user accounts, and suspicious scheduled actions.\u003c/li\u003e\n\u003cli\u003eUse the \u003ccode\u003ereferences\u003c/code\u003e URL to understand the specific details of Windows Event ID 4698, which is generated when a scheduled task is created.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-scheduled-task-creation/","summary":"Adversaries may create scheduled tasks on Windows systems to establish persistence, move laterally, or escalate privileges, and this detection identifies such activity by monitoring Windows event logs for scheduled task creation events, excluding known benign tasks and those created by system accounts.","title":"Windows Scheduled Task Creation for Persistence","url":"https://feed.craftedsignal.io/briefs/2024-01-02-scheduled-task-creation/"}],"language":"en","title":"CraftedSignal Threat Feed — Scheduled-Task","version":"https://jsonfeed.org/version/1.1"}