{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/schtasks/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["schtasks","scheduled-task","persistence","execution"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis analytic detects the execution of Windows Scheduled Tasks on demand using the \u003ccode\u003eschtasks.exe\u003c/code\u003e utility. The detection focuses on identifying \u003ccode\u003eschtasks.exe\u003c/code\u003e being executed with the \u003ccode\u003erun\u003c/code\u003e command, which is often used by adversaries to force the execution of previously created scheduled tasks. This activity is significant because attackers frequently leverage scheduled tasks for persistent access, privilege escalation, or lateral movement within a compromised network. Detecting this behavior can help defenders identify and respond to malicious activity before it leads to further compromise. The technique has been associated with various threat actors and malware families including Qakbot, XMRig, and Medusa Ransomware as well as campaigns such as CISA AA22-257A and Industroyer2.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through various means (e.g., exploiting a vulnerability, phishing).\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by creating a new scheduled task using \u003ccode\u003eschtasks.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003eschtasks.exe\u003c/code\u003e with the \u003ccode\u003erun\u003c/code\u003e command to trigger the malicious scheduled task on demand.\u003c/li\u003e\n\u003cli\u003eThe scheduled task executes a malicious payload, such as a script or executable.\u003c/li\u003e\n\u003cli\u003eThe payload may perform various malicious actions, such as downloading additional malware, escalating privileges, or gathering sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other systems on the network by creating and running scheduled tasks remotely.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to disable security controls or evade detection by modifying existing scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration, ransomware deployment, or system disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to persistent access, lateral movement, and privilege escalation within the compromised environment. Attackers can use this technique to maintain a foothold on the system, spread malware to other systems on the network, and ultimately achieve their objectives, such as data theft, ransomware deployment, or disruption of critical services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect the execution of \u003ccode\u003eschtasks.exe\u003c/code\u003e with the \u003ccode\u003erun\u003c/code\u003e command, tuning it to exclude known legitimate uses.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of \u003ccode\u003eschtasks.exe\u003c/code\u003e execution with the \u003ccode\u003erun\u003c/code\u003e command to determine if they are malicious.\u003c/li\u003e\n\u003cli\u003eMonitor process execution data for unusual or unexpected processes being launched by scheduled tasks.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and regularly review and audit scheduled tasks to prevent unauthorized modifications or creations.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging (Event ID 1) to capture detailed information about process executions, including command-line arguments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-schtasks-on-demand/","summary":"Detection of on-demand execution of Windows Scheduled Tasks via the schtasks.exe command-line utility, a common technique for persistence and lateral movement.","title":"Schtasks Run Task On Demand","url":"https://feed.craftedsignal.io/briefs/2024-01-03-schtasks-on-demand/"}],"language":"en","title":"CraftedSignal Threat Feed — Schtasks","version":"https://jsonfeed.org/version/1.1"}