CCleaner — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/vendors/ccleaner/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 09 Jan 2024 12:00:00 +0000Persistence via Scheduled Job Creationhttps://feed.craftedsignal.io/briefs/2024-01-09-scheduled-job-persistence/Tue, 09 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-09-scheduled-job-persistence/This detection rule identifies attempts to establish persistence on Windows systems by creating scheduled jobs in the Windows Tasks directory, excluding known legitimate jobs.Adversaries may abuse scheduled tasks to maintain persistence on a compromised system. This involves creating or modifying scheduled tasks to execute malicious code at specific times or intervals. This activity can be used to ensure that the attacker’s code remains active even after a system restart or user logout. The detection rule identifies suspicious job creation by monitoring specific file paths and extensions, excluding known legitimate processes to flag potential abuse. The rule is designed for data generated by Elastic Defend, but also supports Microsoft Defender XDR, SentinelOne Cloud Funnel, and Sysmon.

Attack Chain

  1. An attacker gains initial access to a Windows system (e.g., via phishing or exploiting a vulnerability).
  2. The attacker attempts to establish persistence.
  3. The attacker uses a script or program to create a new scheduled job within the C:\Windows\Tasks\ directory.
  4. The scheduled job is configured to execute a malicious payload at a specified time or interval.
  5. The malicious payload could be a script (e.g., PowerShell) or an executable.
  6. The scheduled job executes, triggering the malicious payload.
  7. The attacker maintains persistent access to the system.
  8. The attacker performs malicious activities, such as data exfiltration or lateral movement.

Impact

Successful exploitation allows attackers to maintain a persistent presence on the compromised system. This allows them to execute malicious code, steal sensitive information, or perform other malicious activities over an extended period. The number of affected systems can vary depending on the scope of the initial compromise and the attacker’s objectives.

Recommendation

  • Enable Sysmon Event ID 11 (File Create) logging to monitor file creation events on Windows systems.
  • Deploy the Sigma rule “Detect Suspicious Scheduled Job Creation” to your SIEM and tune for your environment.
  • Investigate any alerts generated by the Sigma rule, focusing on scheduled jobs created in the C:\Windows\Tasks\ directory with a “.job” extension.
  • Review and update exclusion lists for known legitimate scheduled job creation processes (e.g., CCleaner, ManageEngine) to minimize false positives.
]]>mediumadvisorypersistencewindows