Scheduled Task
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and Windows Management Instrumentation (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path. An adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and/or to run a process under the context of a specified account (such as SYSTEM). Similar to System Binary Proxy Execution, adversaries have also abused the Windows Task Scheduler to potentially mask one-time execution under signed/trusted system processes. Adversaries may also create "hidden" scheduled tasks (i.e. Hide Artifacts) that may not be visible to defender tools and manual queries used to enumerate tasks. Specifically, an adversary may hide a task from `schtasks /query` and the Task Scheduler by deleting the associated Security Descriptor (SD) registry value (where deletion of this value must be completed using SYSTEM permissions). Adversaries may also employ alternate methods to hide tasks, such as altering the metadata (e.g., `Index` value) within associated registry keys.
Open detection, hunting, mitigation, and evidence workspace
Detection logic
Monitor process execution from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in %systemroot%\System32\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc. Configure event logging for scheduled task creation and changes by enabling the "Microsoft-Windows-TaskScheduler/Operational" setting within the event logging service. Several events will then be logged on scheduled task activity, including: * Event ID 106 on Windows 7, Server 2008 R2 - Scheduled task registered * Event ID 140 on Windows 7, Server 2008 R2 / 4702 on Windows 10, Server 2016 - Scheduled task updated * Event ID 141 on Windows 7, Server 2008 R2 / 4699 on Windows 10, Server 2016 - Scheduled task deleted * Event ID 4698 on Windows 10, Server 2016 - Scheduled task created * Event ID 4700 on Windows 10, Server 2016 - Scheduled task enabled * Event ID 4701 on Windows 10, Server 2016 - Scheduled task disabled Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data.
Observed actors
G0082GALLIUM
G0093APT3
G0022Kimsuky
G0094Patchwork
G0040APT41
G0096Dragonfly
G0035menuPass
G0045APT32
G0050MuddyWater
G0069Naikon
G0019FIN6
G0037Gamaredon Group
G0047FIN7
G0046Sandworm Team
G0034Machete
G0095Mustang Panda
G0129APT39
G0087TA2541
G1018APT37
G0067OilRig
G0049Higaisa
G0126Confucius
G0142Blue Mockingbird
G0108Winter Vivern
G1035BITTER
G1002RedCurl
G1039Stealth Falcon
G0038APT29
G0016Chimera
G0114BRONZE BUTLER
G0060TEMP.Veles
G0088Ember Bear
G1003ToddyCat
G1022LuminousMoth
G1014Fox Kitten
G0117APT-C-36
G0099Lazarus Group
G0032Silence
G0091Cobalt Group
G0080Wizard Spider
G0102Molerats
G0021Moonstone Sleet
G1036HEXANE
G1001Daggerfly
G1034Rancor
G0075Magic Hound
G0059APT33
G0064FIN10
G0051FIN8
G0061FIN13
G1016
Correlated CTI and IR reports
Israel Threat Actors CTI · explicit report mentionAPT41 Targeting Pharmaceutical Sector: Log4Shell to Domain Compromise
1200km CTI repository · explicit report mentionATT&CK as a Working Tool: Theory and Hands-On Practical Usage
1200km CTI repository · explicit report mentionAttack Playbook — Operation DragonRx
1200km CTI repository · explicit report mentionCTI Research: MuddyWater / Seedworm (Mango Sandstorm)
1200km CTI repository · explicit report mentionCTI Research: MuddyWater / Seedworm (Mango Sandstorm)
1200km CTI repository · explicit report mentionCTI Research: Sandworm / APT44
1200km CTI repository · explicit report mentionCTI Research: Sandworm / APT44
1200km CTI repository · explicit report mentionDetection Guide — Operation DragonRx
1200km CTI repository · explicit report mentionOperation DragonRx — APT41 Full Attack Simulation
1200km CTI repository · explicit report mentionOperation DragonRx: Simulating an APT41 Attack End-to-End — From Log4Shell to DFIR and Malware Analysis
1200km CTI repository · explicit report mentionPioneer Kitten (Fox Kitten, Lemon Sandstorm, UNC757) – Actor Deep Research
Israel Threat Actors CTI · explicit report mentionAPT41 Targeting Pharmaceutical Sector Log4Shell to Domain Compromise
1200km Medium · authored report mentionATT CK as a Working Tool Theory and Hands On Practical Usage
1200km Medium · authored report mentionAttack Playbook Operation DragonRx
1200km Medium · authored report mentionCTI Research MuddyWater Seedworm Mango Sandstorm
1200km Medium · authored report mentionCTI Research Sandworm APT44
1200km Medium · authored report mentionOperation DragonRx Simulating an APT41 Attack End to End From Log4Shell to DFIR and Malware
1200km Medium · authored report mention