Scheduled-Task — CraftedSignal Threat Feed

UAC Bypass via DiskCleanup Scheduled Task Hijack

hello@craftedsignal.io — Thu, 04 Jan 2024 12:00:00 +0000

This rule identifies User Account Control (UAC) bypass attempts via hijacking the DiskCleanup Scheduled Task. Attackers exploit this method to execute code with elevated privileges, bypassing standard security controls. The technique involves leveraging the cleanmgr.exe or taskhostw.exe executables with specific arguments (/autoclean and /d) outside of their expected paths. This allows attackers to run malicious code under the guise of a legitimate system process, making detection more challenging. This technique is used to gain elevated privileges on a compromised system, allowing for further malicious activities.

Attack Chain

An attacker gains initial access to the system (e.g., via phishing or exploiting a software vulnerability).
The attacker modifies or creates a scheduled task to execute cleanmgr.exe or taskhostw.exe with the /autoclean and /d arguments.
The modified scheduled task is triggered, executing the specified executable with the supplied arguments.
The executable, such as cleanmgr.exe, attempts to run Disk Cleanup.
If the executable path is outside the standard locations (e.g., C:\\Windows\\System32 or C:\\Windows\\SysWOW64), it indicates a potential hijack.
Malicious code is executed with elevated privileges due to the UAC bypass.
The attacker uses these elevated privileges to install malware, modify system settings, or perform other malicious activities.

Impact

Successful exploitation allows attackers to bypass User Account Control (UAC) and execute code with elevated privileges. This can lead to the installation of malware, modification of system settings, data theft, and other malicious activities. While the exact number of victims is unknown, this technique is effective on systems where UAC is enabled but misconfigured or vulnerable.

Recommendation

Deploy the Sigma rule “UAC Bypass via DiskCleanup with Suspicious Path” to your SIEM and tune for your environment to detect UAC bypass attempts.
Deploy the Sigma rule “UAC Bypass via DiskCleanup and Taskhostw” to your SIEM to detect UAC bypass attempts.
Monitor process creation events for cleanmgr.exe and taskhostw.exe with the /autoclean and /d arguments, focusing on executions outside the standard system directories.
Review and harden scheduled tasks to prevent unauthorized modifications.
Ensure that UAC settings are properly configured and enforced across the organization.

Unusual Scheduled Task Update

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This detection identifies first-time modifications to scheduled tasks by non-system users on Windows systems. Adversaries frequently abuse scheduled tasks to achieve persistence by modifying existing tasks or creating new ones that execute malicious code at recurring intervals. This rule focuses on detecting unauthorized changes to existing tasks by filtering out known system accounts (SYSTEM, Local Service, Network Service) and machine accounts, thereby highlighting potentially suspicious user activity. The rule leverages Windows Security Event Logs (event code 4702) to monitor task modifications. The goal is to aid in the early detection of threats where attackers are attempting to establish persistence on a compromised system.

Attack Chain

An attacker gains initial access to a Windows system, potentially through phishing or exploiting a vulnerability.
The attacker enumerates existing scheduled tasks on the system using tools like schtasks.exe or PowerShell cmdlets.
The attacker identifies a suitable scheduled task to modify for persistence.
The attacker modifies the task’s settings, such as the trigger time, the executable to run, or the arguments passed to the executable. This modification is logged as event ID 4702.
The scheduled task is updated using schtasks.exe /change or PowerShell’s Set-ScheduledTask cmdlet.
The modified scheduled task executes at the specified time, launching the attacker’s malicious payload.
The malicious payload establishes a reverse shell to the attacker’s command and control (C2) server.
The attacker uses the reverse shell to perform further actions on the compromised system, such as data exfiltration or lateral movement.

Impact

A successful attack involving the modification of scheduled tasks can lead to persistent access to a compromised system. The attacker can use this access to steal sensitive data, install malware, or perform other malicious activities. While this rule is low severity, it can uncover attackers attempting to persist in a network.

Recommendation

Enable “Audit Other Object Access Events” to generate the required Windows Security Event Logs (event ID 4702) as described in the setup instructions.
Deploy the Sigma rule provided below to your SIEM to detect unusual scheduled task updates.
Investigate any alerts generated by this rule to determine if the scheduled task modification is legitimate or malicious.
Review the references provided to understand the underlying event IDs and attacker techniques related to scheduled tasks.

Schtasks Run Task On Demand

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This analytic detects the execution of Windows Scheduled Tasks on demand using the schtasks.exe utility. The detection focuses on identifying schtasks.exe being executed with the run command, which is often used by adversaries to force the execution of previously created scheduled tasks. This activity is significant because attackers frequently leverage scheduled tasks for persistent access, privilege escalation, or lateral movement within a compromised network. Detecting this behavior can help defenders identify and respond to malicious activity before it leads to further compromise. The technique has been associated with various threat actors and malware families including Qakbot, XMRig, and Medusa Ransomware as well as campaigns such as CISA AA22-257A and Industroyer2.

Attack Chain

An attacker gains initial access to the system through various means (e.g., exploiting a vulnerability, phishing).
The attacker establishes persistence by creating a new scheduled task using schtasks.exe.
The attacker uses schtasks.exe with the run command to trigger the malicious scheduled task on demand.
The scheduled task executes a malicious payload, such as a script or executable.
The payload may perform various malicious actions, such as downloading additional malware, escalating privileges, or gathering sensitive information.
The attacker moves laterally to other systems on the network by creating and running scheduled tasks remotely.
The attacker attempts to disable security controls or evade detection by modifying existing scheduled tasks.
The attacker achieves their final objective, such as data exfiltration, ransomware deployment, or system disruption.

Impact

Successful exploitation can lead to persistent access, lateral movement, and privilege escalation within the compromised environment. Attackers can use this technique to maintain a foothold on the system, spread malware to other systems on the network, and ultimately achieve their objectives, such as data theft, ransomware deployment, or disruption of critical services.

Recommendation

Deploy the provided Sigma rule to your SIEM to detect the execution of schtasks.exe with the run command, tuning it to exclude known legitimate uses.
Investigate any detected instances of schtasks.exe execution with the run command to determine if they are malicious.
Monitor process execution data for unusual or unexpected processes being launched by scheduled tasks.
Implement strict access controls and regularly review and audit scheduled tasks to prevent unauthorized modifications or creations.
Enable Sysmon process-creation logging (Event ID 1) to capture detailed information about process executions, including command-line arguments.

Scheduled Task Creation via Scripting

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This rule detects the creation of scheduled tasks by Windows scripting engines, a tactic commonly employed by adversaries to establish persistence on compromised systems. The activity involves monitoring registry changes related to scheduled task actions and correlating them with script execution. Specifically, it looks for instances where cscript.exe, wscript.exe, powershell.exe, pwsh.exe or powershell_ise.exe are used to create or modify scheduled tasks. This behavior can be indicative of malicious activity, as legitimate software installations should not typically involve scripting engines directly creating scheduled tasks. Defenders should investigate any instances of this behavior to determine if it is malicious. The rule focuses on Windows environments.

Attack Chain

An attacker gains initial access to the system through various means (e.g., phishing, exploit).
The attacker executes a script (e.g., PowerShell, VBScript) on the target system.
The script interacts with the taskschd.dll library to create or modify a scheduled task.
The script modifies the registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\*\Actions or \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\*\Actions to define the actions performed by the scheduled task.
The scheduled task is configured to execute a malicious payload at a specific time or event.
The scheduled task executes, providing the attacker with persistent access to the system.
The attacker leverages the persistent access to perform further malicious activities, such as lateral movement or data exfiltration.

Impact

Successful exploitation leads to persistence on the compromised system, allowing attackers to maintain access even after reboots or user logoffs. This can facilitate long-term data theft, deployment of ransomware, or further compromise of the network. The impact depends on the privileges of the account under which the scheduled task runs, potentially granting SYSTEM level access.

Recommendation

Enable Sysmon ImageLoad events (Event ID 7) to detect when taskschd.dll is loaded by scripting engines (powershell.exe, cscript.exe, wscript.exe) as described in the Sysmon Event ID 7 setup guide.
Enable Sysmon Registry Events to monitor changes to the registry paths associated with scheduled task actions as described in the Sysmon Registry Events setup guide.
Deploy the provided Sigma rules to your SIEM to detect scheduled task creation by scripting engines and tune for your environment.
Investigate any alerts generated by these rules, focusing on the specific scripts and scheduled tasks involved.

GPO Scheduled Task Abuse for Privilege Escalation and Lateral Movement

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

Attackers can abuse Group Policy Objects (GPOs) to execute scheduled tasks at scale, compromising objects controlled by a given GPO. This involves modifying the contents of the \\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml file. By altering the XML file to include malicious commands, attackers can achieve privilege escalation or lateral movement within the domain. This technique leverages a legitimate Active Directory mechanism, making it essential to differentiate between authorized administrative actions and malicious activities. The modification can be identified through changes to gPCMachineExtensionNames or gPCUserExtensionNames attributes within Active Directory.

Attack Chain

Attacker gains initial access to a system with permissions to modify GPOs.
Attacker modifies the ScheduledTasks.xml file within the SYSVOL share of a targeted GPO (\\\\*\\SYSVOL).
The attacker changes the contents of the XML file to include a malicious and tag.
The modified GPO is replicated to domain controllers.
Target systems receive the updated GPO during regular group policy refresh cycles.
The scheduled task defined in the modified ScheduledTasks.xml is executed on the target systems.
The malicious command executes, potentially escalating privileges or facilitating lateral movement.
Attacker achieves desired objective, such as installing malware, creating new accounts, or exfiltrating data.

Impact

Successful exploitation allows attackers to execute arbitrary code on systems managed by the modified GPO. The scope of impact depends on the targeted GPO and the permissions of the scheduled task. This can lead to widespread compromise, affecting numerous systems and users within the domain. The modification of GPOs can be difficult to detect without proper monitoring, potentially allowing attackers to maintain persistence and control over the environment.

Recommendation

Enable and monitor Windows audit policies for “Audit Directory Service Changes” and “Audit Detailed File Share” to detect modifications to GPOs and file share access, as outlined in the setup section.
Deploy the Sigma rule “Scheduled Task Execution via GPO Attribute Modification” to detect modifications to the gPCMachineExtensionNames or gPCUserExtensionNames attributes (rule: Scheduled Task Execution via GPO Attribute Modification).
Deploy the Sigma rule “Scheduled Task XML File Modification in SYSVOL” to detect modifications to the ScheduledTasks.xml file in SYSVOL shares (rule: Scheduled Task XML File Modification in SYSVOL).
Review and validate any changes to GPOs, specifically those related to scheduled tasks, to ensure they are authorized and legitimate.
Monitor for the execution of unexpected or malicious commands originating from scheduled tasks created or modified via GPOs.
Regularly audit and review GPO configurations to identify any potential weaknesses or misconfigurations that could be exploited.

Detecting Remote Scheduled Task Creation for Lateral Movement

hello@craftedsignal.io — Wed, 03 Jan 2024 10:00:00 +0000

This detection identifies remote scheduled task creations on a target host, which can be indicative of lateral movement. Adversaries often leverage scheduled tasks to execute malicious commands, maintain persistence, or escalate privileges. This technique is particularly effective as it uses native Windows functionality, making it harder to distinguish from legitimate administrative actions. This rule is designed for data generated by Elastic Defend and also supports third-party data sources such as SentinelOne Cloud Funnel and Sysmon. Understanding when and how scheduled tasks are created remotely is crucial for detecting and responding to potential intrusions. The rule focuses on network connections from svchost.exe and registry modifications related to task actions.

Attack Chain

The attacker gains initial access to a system, potentially through phishing or exploiting a vulnerability.
The attacker uses the compromised system to scan the network for potential targets.
The attacker attempts to authenticate to a target Windows host using stolen credentials or by exploiting a vulnerability in a network service.
The attacker establishes a network connection to the target host’s Task Scheduler service, typically using ports in the dynamic port range (49152+). This connection originates from svchost.exe.
The attacker creates a new scheduled task on the target system using the Task Scheduler service.
This creation involves modifying the registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{TaskID}\Actions to define the task’s actions. The ‘Actions’ value is often base64 encoded.
The scheduled task executes a malicious payload, granting the attacker further access or control over the target system.
The attacker uses the newly gained access for lateral movement, data exfiltration, or other malicious objectives.

Impact

Successful exploitation can lead to unauthorized access to sensitive systems, data breaches, and further lateral movement within the network. The rule is designed to catch this activity, reducing the dwell time of attackers and minimizing potential damage.

Recommendation

Deploy the provided Sigma rules to your SIEM and tune for your environment to detect malicious scheduled task creation.
Enable Sysmon Event ID 3 (Network Connection) and Sysmon Registry Events to enhance visibility into network connections and registry modifications (see Setup instructions).
Review the base64 encoded tasks actions registry value to investigate the task configured action (see rule description).
Investigate any alerts generated by the Sigma rule to determine the legitimacy of the scheduled task creation and the intent behind the configured action.

Windows Scheduled Task Creation for Persistence

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

Adversaries frequently leverage scheduled tasks in Windows to maintain persistence, elevate privileges, or facilitate lateral movement within a compromised network. This technique involves creating or modifying scheduled tasks to execute malicious code at specific times or intervals. The detection rule focuses on identifying the creation of new scheduled tasks logged in Windows event logs, filtering out tasks created by system accounts and those associated with legitimate software to minimize false positives. This detection is crucial because successful exploitation allows attackers to execute arbitrary commands or programs on a recurring basis, maintaining a foothold even after system reboots or user logoffs. Defenders need to monitor for anomalous task creation events to identify potential malicious activity. The rule references Microsoft Event ID 4698 as a key data source for detecting scheduled task creation.

Attack Chain

Initial Access: An attacker gains initial access to the system through phishing, exploiting a vulnerability, or using compromised credentials.
Privilege Escalation (if needed): The attacker escalates privileges using exploits or by abusing misconfigurations to gain the necessary permissions to create scheduled tasks.
Task Creation: The attacker creates a new scheduled task using tools like schtasks.exe or PowerShell.
Configuration: The attacker configures the task to execute a malicious script or program at a specific time or event trigger.
Persistence: The scheduled task is configured to run at regular intervals or upon system startup, ensuring persistent access to the compromised system.
Execution: When the scheduled task triggers, the malicious payload executes, performing actions such as installing malware, stealing data, or establishing a command and control connection.
Lateral Movement (optional): The attacker uses the compromised system and scheduled task to move laterally to other systems on the network, repeating the task creation process.

Impact

Successful exploitation via scheduled task creation can lead to persistent access within the compromised environment. The attacker can maintain a foothold even after system restarts, enabling them to perform data exfiltration, deploy ransomware, or cause other disruptive activities. While the risk score is relatively low, the potential for persistence makes this a critical area to monitor, especially in environments where lateral movement is a significant concern. The number of affected systems depends on the scope of the initial compromise and the attacker’s ability to move laterally.

Recommendation

Enable “Audit Other Object Access Events” to generate the necessary Windows Security Event Logs for detecting scheduled task creation (reference: setup instructions in the original rule).
Deploy the provided Sigma rules to your SIEM to detect suspicious scheduled task creation events, and tune the rules by adding exclusions for known benign tasks in your environment.
Review the investigation steps outlined in the rule’s notes to triage alerts related to scheduled task creation, focusing on unfamiliar task names, unusual user accounts, and suspicious scheduled actions.
Use the references URL to understand the specific details of Windows Event ID 4698, which is generated when a scheduled task is created.