CYBERSECURITY JOB HUNTING GUIDE
T1053.005 Scheduled Task
Author: Stefan Waldvogel
LimaCharlie vs. Scheduled Task
Overview:
Description from ATT&CK
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task.
The deprecated at utility could also be abused by adversaries (ex: At (Windows)), though at.exe can not access tasks created with schtasks or the Control Panel.
An adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account (such as SYSTEM).
source: github.com/redcanaryco/atomic-red-team/tree/master/atomics
Commands:
Invoke-AtomicTest T1053.005 -ShowDetailsBrief
Invoke-AtomicTest T1053.005 -CheckPrereqs
Invoke-AtomicTest T1053.005 -GetPrereqs
Invoke-AtomicTest T1053.005
Invoke-AtomicTest T1053.005 -Cleanup
Contains 6 sub tests.
Changes:
Limitations:
Test 5 needs MS Word, not installed.
Result:
Invoke-AtomicTest T1053.005 -TestNumbers 1 -> sigma, detected as Scheduled Task Creation
Invoke-AtomicTest T1053.005 -TestNumbers 2 -> soteria, detected as 00164-WIN-Scheduled_Task_Creation_With_Suspect_Path
Invoke-AtomicTest T1053.005 -TestNumbers 3 -> soteria, 00164-WIN-Scheduled_Task_Creation_With_Suspect_Path
Invoke-AtomicTest T1053.005 -TestNumbers 4 -> detected the PowerShell but not the task itself
Invoke-AtomicTest T1053.005 -TestNumbers 5 -> Word/VBA not installed
Invoke-AtomicTest T1053.005 -TestNumbers 6-> detected the PowerShell but not the task itself
Description from ATT&CK
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task.
The deprecated at utility could also be abused by adversaries (ex: At (Windows)), though at.exe can not access tasks created with schtasks or the Control Panel.
An adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account (such as SYSTEM).
source: github.com/redcanaryco/atomic-red-team/tree/master/atomics
Commands:
Invoke-AtomicTest T1053.005 -ShowDetailsBrief
Invoke-AtomicTest T1053.005 -CheckPrereqs
Invoke-AtomicTest T1053.005 -GetPrereqs
Invoke-AtomicTest T1053.005
Invoke-AtomicTest T1053.005 -Cleanup
Contains 6 sub tests.
Changes:
Limitations:
Test 5 needs MS Word, not installed.
Result:
Invoke-AtomicTest T1053.005 -TestNumbers 1 -> sigma, detected as Scheduled Task Creation
Invoke-AtomicTest T1053.005 -TestNumbers 2 -> soteria, detected as 00164-WIN-Scheduled_Task_Creation_With_Suspect_Path
Invoke-AtomicTest T1053.005 -TestNumbers 3 -> soteria, 00164-WIN-Scheduled_Task_Creation_With_Suspect_Path
Invoke-AtomicTest T1053.005 -TestNumbers 4 -> detected the PowerShell but not the task itself
Invoke-AtomicTest T1053.005 -TestNumbers 5 -> Word/VBA not installed
Invoke-AtomicTest T1053.005 -TestNumbers 6-> detected the PowerShell but not the task itself
© 2021. This work is licensed under a CC BY-SA 4.0 license