T1053 Scheduled Task/Job
Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.2
Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges). Similar to System Binary Proxy Execution, adversaries have also abused task scheduling to potentially mask one-time execution under a trusted system process.1
| Item | Value |
|---|---|
| ID | T1053 |
| Sub-techniques | T1053.002, T1053.003, T1053.005, T1053.006, T1053.007 |
| Tactics | TA0002, TA0003, TA0004 |
| Platforms | Containers, Linux, Windows, macOS |
| Permissions required | Administrator, SYSTEM, User |
| Version | 2.2 |
| Created | 31 May 2017 |
| Last Modified | 30 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S1052 | DEADEYE | DEADEYE has used the scheduled tasks \Microsoft\Windows\PLA\Server Manager Performance Monitor, \Microsoft\Windows\Ras\ManagerMobility, \Microsoft\Windows\WDI\SrvSetupResults, and \Microsoft\Windows\WDI\USOShared |
| to establish persistence.8 | ||
| G1006 | Earth Lusca | Earth Lusca used the command schtasks /Create /SC ONLOgon /TN WindowsUpdateCheck /TR “[file path]” /ru system for persistence.10 |
| S0447 | Lokibot | Lokibot‘s second stage DLL has set a timer using “timeSetEvent” to schedule its next execution.7 |
| S0125 | Remsec | Remsec schedules the execution one of its modules by creating a new scheduler task.6 |
| S1034 | StrifeWater | StrifeWater has create a scheduled task named Mozilla\Firefox Default Browser Agent 409046Z0FF4A39CB for persistence.9 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1047 | Audit | Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges. 4 |
| M1028 | Operating System Configuration | Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM. The associated Registry key is located at HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SubmitControl. The setting can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > Security Options: Domain Controller: Allow server operators to schedule tasks, set to disabled. 5 |
| M1026 | Privileged Account Management | Configure the Increase Scheduling Priority option to only allow the Administrators group the rights to schedule a priority process. This can be can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Increase scheduling priority. 3 |
| M1018 | User Account Management | Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0032 | Container | Container Creation |
| DS0022 | File | File Creation |
| DS0009 | Process | Process Creation |
| DS0003 | Scheduled Job | Scheduled Job Creation |
References
-
Campbell, B. et al. (2022, March 21). Serpent, No Swiping! New Backdoor Targets French Entities with Unique Attack Chain. Retrieved April 11, 2022. ↩
-
Microsoft. (2005, January 21). Task Scheduler and security. Retrieved June 8, 2016. ↩
-
Microsoft. (2013, May 8). Increase scheduling priority. Retrieved December 18, 2017. ↩
-
Microsoft. (2012, November 15). Domain controller: Allow server operators to schedule tasks. Retrieved December 18, 2017. ↩
-
Kaspersky Lab’s Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016. ↩
-
Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021. ↩
-
Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022. ↩
-
Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022. ↩
-
Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. ↩