Post

Hunting Malicious Activity in Scheduled Task

Posted Updated
Preview Image
By lr2t9iz 4 min read

When we talk about hunting in cybersecurity, it’s likely that the first thing that comes to mind is querying a SIEM, our security event database. But what happens when the SIEM was implemented after the adversary had already configured a malicious scheduled task? This scenario presents a significant challenge, as the threat may be latent and operational without being detected by our latest monitoring tools.

In this post, we will explore how to hunt for these types of threats in our infrastructure, learn how to identify and analyze malicious scheduled tasks using techniques and tools that go beyond traditional SIEM capabilities. In addition, we will configure detection rules in S1EM to improve our ability to detect and respond to threats more effectively.

Scheduled Task

Scheduled tasks are very useful for IT tasks, developers use them to automate tasks, testing, and more. Adversaries also exploit this functionality as technique (T1053.005: Scheduled Task/Job: Scheduled Task) for execution, persistence, or privilege escalation.

Simulation

For our test, we will use Test Number 1 of T1053.005 technique from the Atomic Red Team project . We will create a scheduled task that simulates a malicious activity, where the task executes a process each time the system starts.

1
2

schtasks /create /tn "T1053_005_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe"
REM > SUCCESS: The scheduled task "T1053_005_OnStartup" has successfully been created.

Hunting

To retrieve scheduled tasks, we can use either CMD or PowerShell. Let’s look at the commands for each:

With Windows CommandLine (cmd)

Open cmd as adminsitrator and run the following command to view all scheduled tasks

1

schtasks /query
  • Task list image
  • We can also filter the tasks that are active, by task name, and to get more detail of the task with the following commands.
1
2
3
4
5
6
7
8
9

REM ready and running tasks
schtasks /query | findstr "Ready"
schtasks /query | findstr "Running"

REM filter by taskname
schtasks /query /tn "T1053_005_OnStartup"

REM more details
schtasks /query /tn "T1053_005_OnStartup" /xml
  • The fields to pay attention to are trigger and action image
  • In the Triggers section we see BootTrigger which defines the trigger of the task, in this case is configured to be activated at system startup.
  • In the Actions section we see that it executes cmd with argument /c calc.exe

With PowerShell

Open PowerShell as adminsitrator and run the following command to view all scheduled tasks

1

Get-ScheduledTask
  • Task list image
  • We can also make the same filters as with cmd
1
2
3
4
5
6
7
8
9

# active tasks
Get-ScheduledTask | ? State -ne Disabled

# by taskname
Get-ScheduledTask | ? TaskName -eq T1053_005_OnStartup

# more details
(Get-ScheduledTask | ? TaskName -eq "T1053_005_OnStartup").triggers | fl Enabled, CimClass
(Get-ScheduledTask | ? TaskName -eq "T1053_005_OnStartup").actions | fl Execute, Arguments
  • Task details image
  • We have the same result as in cmd with the difference of the name of the trigger object.

With Osquery

Osquery is a SQL-based operating system instrumentation, monitoring and analysis framework developed by facebook. We can download from the following page, and install on the windows to hunt.

Osquery has several tables to do searches, for this post we will only use the following table, scheduled_tasks

  • We start osquery
    1
2

    Start-Service osqueryd
& 'C:\Program Files\osquery\osqueryi.exe'
  • Execute the following queries
1
2
3
4
5
6
7
8

-- show all scheduled_tasks
SELECT * FROM scheduled_tasks;

-- show all active scheduled_tasks
SELECT path, name, state FROM scheduled_tasks WHERE state != "disabled";

-- show specific task, by taskname
SELECT path, enabled, state, action, last_run_time, last_run_message FROM scheduled_tasks WHERE name == "T1053_005_OnStartup";
  • Task list image
  • The disadvantage we have with osquery it does not get the bootrigger object, but we can see when it was last executed in unix timestamps format and the last message result.

Collection & Detection

By default windows does not have task scheduler logs enabled, to enable them, run the following command in cmd as adminsitrator.

1

wevtutil sl Microsoft-Windows-TaskScheduler/Operational /enabled:true
  • With the configuration of groups and rules of the S1EM we obtain the following result image

Although with this method we can only see the name of the task, to view the trigger and action of the task, we will apply the detailed techniques mentioned earlier. By combining these approaches, we can effectively uncover and analyze scheduled tasks, ensuring our infrastructure remains secure against hidden threats.

Happy hunting!

blueteam, hunting
difficulty:low endpoint os:windows
This post is licensed under CC BY 4.0 by the author.