Post Credit: Austin Miller
MITRE ATT&CK – T1053: Scheduled Task/Job
Why do something today when you can put it off until tomorrow?
My grandad gave me many pearls of wisdom when I was younger, but this adage probably stuck with me the most. Of course, if we’re willing to accept that, why not take it to its logical conclusion? Why do something today when I can make the computer do it forever for me?
Scheduling tasks and jobs to be completed automatically are a godsend for cybersecurity professionals. But just like they have many uses for the good guys, they are also actively employed by the adversary. Using a scheduled task allows the adversary to launch attacks automatically, potentially creating persistence that is difficult for the security team to deal with.
What is scheduled task/job abuse?
This is actually a new area for MITRE ATT&CK, having changed from Scheduled Task in the newest iteration of the framework. Updated in 2020, Scheduled Task went from being the technique proper to a sub-technique, alongside At, Launchd, Launch Daemon, Systemd Timers, and Container Orchestration Job.
Because using scheduled tasks/jobs open up a world of possibilities for the adversary, the nature of this abuse can vary greatly. Common ways to weaponize scheduling could include:
- Continuously downloading the malicious payload, hampering the security team’s ability to delete the malware at the source.
- Setting the malware to execute at a predetermined future date, potentially evading detection software
- Creating an attack that only launches when a specific event occurs, such as a security downgrade attack
Exploring the procedures of MITRE ATT&CK: Scheduled Task
Because scheduled tasks/jobs operate in largely similar ways across different OSs, you will find that the adversary will use scheduling to achieve similar ends. However, the MITRE ATT&CK framework separately lists the different scheduling utilities to show the ingenuity and opportunism of threat actors.
T1053.001-3 – At (Linux, Windows, Cron)
Because the at is a utility used in Linux, Windows, and Cron, three procedures are dedicated to it in the framework. As you’d expect, these uses are largely the same. Some highlights from the three entries include:
- Using at.exe to run a scheduled command on a remote system, such as the case of TG-0416 using at.exe to laterally move after compromise.
- Using cron on Unix-like operating systems can be leveraged to execute malware at regular intervals, ensuring persistence. This was used by the Ngrok mining botnet, for example.
T1053.004 – Launchd
A macOS system start up process, launchd initializes right after the kernel. By manipulating the launchd daemon, it is possible to launch malware through scheduling so that it runs at system startup. The Olyx macOS backdoor used this procedure to make sure the executable is running when the user logs in.
T1053.005 – Scheduled Task
Formerly the entire technique, the Windows Task Scheduler has been reduced to a sub-technique alongside the other scheduling utilities listed in this article. Because both time-based and event-based triggers are possible through this scheduler, it allows greater flexibility for the adversary. The following methods are listed in the framework for how the adversary will gain access to the Windows Task Scheduler.
- Using cmd to run schtasks
- Using a .NET wrapper
- Using the Windows netapi32 library
- Opening the Task Scheduler through the GUI via the Control Panel
T1053.006 – Systemd Timers
As an alternative to cron jobs, the systemd timers allow scripts and programs to trigger at specific times. The major boon of using systemd timers is that they allow a greater control of the events that the adversary sets off. Let’s look at some sample code:
SYSTEMD_TIMER="[Timer]
OnCalendar=4d
Persistent=true
OnActiveSec=360
[Install]
WantedBy=timers.target"
SYSTEMD_SERVICE="[Unit]
Type=simple
ExecStart=/usr/lib/xeactor/u.sh"
echo "$SYSTEMD_SERVICE" > usr/lib/systemd/system/xeactor.service
echo "$SYSTEMD_TIMER" > usr/lib/systemd/system/xeactor.timer
By using this to attack a system, the adversary can use the file x.sh to download and execute an additional file (u.sh) which runs every 360 seconds (lines 4 and 9). After initial infection, it becomes very easy to launch a persistent threat.
T1053.007 – Container Orchestration Job
If you are one of the many organizations that uses Kubernetes or a similar container program in your day-to-day workflow, you’ll understand that container orchestration jobs can launch containers to perform set tasks for batch jobs e.g., backups or report generation. When the adversary intervenes via this utility, it becomes possible to execute malicious code as a container in the cluster.
The frequent unearthing of container vulnerabilities should be enough to put anyone reading this on edge.
How serious is scheduled task/job abuse?
From the malware samples analyzed by Picus, 21,367 individual samples (or an 11% prevalence in all analyzed samples) contained evidence of scheduled task/job abuse. This is a common tactic that the adversary uses to avoid automatic detection, ensure persistence, and launch surprise attacks after lengthy periods of lying low.
The real problem is that these utilities are all necessary to the average IT professional’s daily work routine. As excellent examples of living off the land attacks (LotLs), it is impossible for a security professional to just stop all scheduled tasks – the workplace would grind to a halt! But understanding the risk that comes with using them is necessary.
How can I defend my organization?
The MITRE ATT&CK framework offers four different mitigation techniques that can be used to battle the adversary who is leveraging scheduled tasks against your defenses:
- M1047 – Audit, using toolkits such as the PowerSploit framework to explore systems for permission weaknesses.
- M1028 – Operating System Configuration, forcing tasks to only run under authenticated accounts instead of allowing them to run as SYSTEM. This can be accessed through the GPO.
- M1026 – Privileged Account Management, making the Administrators group the only one with rights to use the Increase Scheduling Priority option. This can be accessed through the GPO.
- M1018 – User Account Management, meaning that user accounts have limited privileges that Privilege Escalation vectors can’t evade.