https://feed.craftedsignal.io/tags/scheduled_task/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 12:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-suspicious-image-load-office/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-suspicious-image-load-office/Detection of taskschd.dll image loads from Microsoft Office applications indicates potential COM-based scheduled task creation for persistence, bypassing traditional schtasks.exe usage.This detection rule identifies a suspicious image load (taskschd.dll) originating from Microsoft Office applications (WINWORD.EXE, EXCEL.EXE, POWERPNT.EXE, MSPUB.EXE, MSACCESS.EXE). The behavior suggests potential adversarial activity involving the creation of scheduled tasks through the Windows Component Object Model (COM). Attackers may exploit this technique to establish persistence, circumventing traditional monitoring focused on the schtasks.exe utility. The use of COM for scheduled task management allows for stealthier operation and evasion of standard security controls, making it a valuable persistence mechanism for malicious actors. The rule is designed for data generated by Elastic Defend, Sysmon, and other endpoint detection platforms.

Attack Chain

1. User opens a malicious Microsoft Office document (e.g., Word, Excel).
2. The document executes embedded macro code or exploits a vulnerability.
3. The macro or exploit leverages the Component Object Model (COM).
4. The Office application (e.g., WINWORD.EXE) loads the taskschd.dll library, providing access to the Task Scheduler service.
5. The COM interface is used to programmatically create a new scheduled task.
6. The scheduled task is configured to execute a malicious payload at a later time or on a recurring basis.
7. The malicious payload could be a script, executable, or command-line instruction.
8. Upon execution, the payload achieves the attacker’s objective, such as establishing persistence, downloading additional malware, or compromising the system.

Impact

A successful attack leveraging this technique can allow adversaries to maintain persistent access to a compromised system. This can lead to long-term data exfiltration, lateral movement within the network, and deployment of ransomware. The low severity score assigned to the original rule may underestimate the potential impact, as persistence is a critical component of many advanced attacks. Affected systems may require extensive remediation to remove all traces of the malicious activity.

Recommendation

• Deploy the Sigma rule “Office Application Loading Task Scheduler DLL” to your SIEM and tune for your environment to detect this specific activity.
• Enable Sysmon Event ID 7 (Image Loaded) logging on Windows endpoints to provide visibility into DLL loading events, which is a prerequisite for the Sigma rule.
• Investigate any alerts generated by the Sigma rule, focusing on the specific scheduled tasks that are created and the payloads they execute.
• Monitor for scheduled task creation events (Event ID 4698) and deletion events (Event ID 4699) in the Windows Event Logs, as referenced in the rule’s investigation guide.

]]>lowadvisorypersistenceexecutionwindowsimage_loadscheduled_taskhttps://feed.craftedsignal.io/briefs/2024-01-local-scheduled-task-creation/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-local-scheduled-task-creation/This rule detects the creation of scheduled tasks on Windows systems by non-system accounts, a common technique used by adversaries for persistence, lateral movement, and privilege escalation.Adversaries frequently abuse scheduled tasks in Windows to maintain persistence, move laterally within a network, or escalate privileges. This involves creating or modifying scheduled tasks to execute malicious commands or scripts at specific times or intervals. This detection rule focuses on identifying the creation of scheduled tasks by non-system accounts, which is often indicative of malicious activity. The rule specifically monitors for the execution of schtasks.exe with specific arguments related to task creation. It is designed to trigger when scheduled tasks are created by non-system level users, helping to filter out legitimate administrative activities. This is crucial for defenders because scheduled tasks provide a reliable and stealthy mechanism for attackers to maintain control over compromised systems.

Attack Chain

1. An attacker gains initial access to a Windows system through various means.
2. The attacker executes a command shell (e.g., cmd.exe, PowerShell) or script interpreter (e.g., wscript.exe) on the compromised system.
3. The attacker uses schtasks.exe with the /create parameter to create a new scheduled task.
4. The /TN parameter is used to specify the name of the task, and the /TR parameter defines the program or script to execute.
5. The /SC parameter sets the schedule for the task (e.g., daily, hourly, onlogon), and /RU specifies the user account under which the task will run.
6. The attacker configures the task to run with elevated privileges or under a non-system account to bypass security controls.
7. The scheduled task executes the attacker’s payload at the specified time or event, achieving persistence.
8. The payload may perform various malicious actions, such as installing malware, exfiltrating data, or establishing a command and control channel.

Impact

Successful exploitation can lead to persistent access to the compromised system, allowing attackers to maintain control even after reboots or user logoffs. Attackers can leverage scheduled tasks to escalate privileges, potentially gaining access to sensitive data or critical system resources. The creation of unauthorized scheduled tasks can also be used to move laterally within the network, compromising additional systems and expanding the scope of the attack.

Recommendation

• Enable Sysmon process creation logging with Event ID 1 to capture command-line arguments and process details (reference: Sysmon setup in rule setup).
• Deploy the Sigma rule “Scheduled Task Creation by Non-System Account” to your SIEM to detect suspicious schtasks.exe activity.
• Review and whitelist legitimate scheduled task creation activities in your environment to reduce false positives (reference: False positive analysis).
• Monitor process activity for processes such as cmd.exe, powershell.exe, wscript.exe creating scheduled tasks (reference: query).
• Investigate any scheduled tasks created by non-system accounts that do not have a clear business justification (reference: Investigation Guide).

]]>lowadvisorypersistencewindowsscheduled_taskattack.persistencehttps://feed.craftedsignal.io/briefs/2024-01-scheduled-task-creation/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-scheduled-task-creation/This rule detects the creation of scheduled tasks in Windows using event logs, which adversaries may use for persistence, lateral movement, or privilege escalation by creating malicious tasks.Adversaries frequently abuse Windows scheduled tasks to establish persistence, move laterally within a network, and escalate privileges. This technique involves creating or modifying scheduled tasks to execute malicious code at specific times or in response to certain events. This detection rule identifies suspicious task creation by filtering out benign tasks and those initiated by system accounts, focusing on potential threats. The rule relies on Windows Security Event Logs, offering a valuable method for identifying unauthorized task creation indicative of malicious activity. The detection logic specifically excludes common tasks associated with software updates from vendors like Hewlett-Packard, Microsoft, Google, and Mozilla, as well as tasks run by system accounts.

Attack Chain

1. An attacker gains initial access to a system, potentially through phishing or exploiting a vulnerability.
2. The attacker uses their initial access to execute commands, potentially leveraging PowerShell or cmd.exe.
3. The attacker uses the schtasks command-line utility or the COM interface to create a new scheduled task.
4. The scheduled task is configured to execute a malicious payload, such as a reverse shell or a data exfiltration script.
5. The task is set to trigger based on a specific schedule, such as at system startup, at a specific time, or upon a specific event.
6. When the trigger occurs, the scheduled task executes the malicious payload.
7. The malicious payload establishes persistence, allowing the attacker to maintain access to the compromised system.
8. The attacker can then use the persistent access to move laterally to other systems or to exfiltrate sensitive data.

Impact

Successful exploitation allows adversaries to maintain persistent access to compromised systems, potentially leading to data theft, system disruption, or further lateral movement within the network. By creating malicious scheduled tasks, attackers can ensure their code is executed even after a system reboot or user logoff. This can result in long-term compromise and significant damage to affected organizations. While the number of victims and specific sectors targeted are not detailed, the potential impact is broad due to the widespread use of Windows systems in enterprise environments.

Recommendation

• Enable Windows Security Event Logging and ensure that event ID 4698 (A scheduled task was created) is collected.
• Deploy the Sigma rule “Suspicious Scheduled Task Creation via Winlog” to your SIEM to detect potentially malicious scheduled task creation events.
• Regularly review and update the exclusion list in the Sigma rule to account for new benign scheduled tasks in your environment.
• Investigate any alerts generated by the Sigma rule by examining the task’s name, path, actions, and triggers to determine if they are suspicious.
• Monitor for related suspicious activity, such as unusual process executions or network connections originating from the compromised system.

]]>mediumadvisorypersistencescheduled_taskwindows