Windows Task Scheduler is a tool that allows you to create and run virtually any task automatically. Typically, the system and certain apps use the scheduler to automate maintenance tasks (disk cleanup, and updates), but anyone can use it. With this experience, you can start applications, run commands, and execute scripts at any particular day and time and you can also trigger tasks when a specific event occurs.
According to MITRE ATT&CK, Scheduled Tasks are used in Execution, Persistence, Privilege Escalation stages of attacks. An adversary may use a task scheduler to execute programs at system startup or on a scheduled basis for persistence, to conduct remote Execution as part of Lateral Movement, to gain SYSTEM privileges.
Adversaries that use Windows Task Scheduler:
In this post we will talk about two of the suspicious scheduled tasks’ behaviors that you can start hunting for:
1) Scheduled Task running programs from suspicious locations and insecure locations:
Tasks running scripts or programs from temp directories or writeable locations (writable by any user) are a good indicator for initial execution or persistence of malware via scheduled tasks, includes but not limited to the following locations:
2) For scripting on windows Task Scheduler utilities pay attention to tasks with action set to one of the following:
Example of a malicious Task:
Tasks with a short lifetime
In this case, we will hunt for scheduled tasks with a short lifetime, used to execute something, and then remove itself from the task scheduler. We can detect this scenario with the following events:
- 4698 – A Scheduled Task was created
- 4699 – A Scheduled Task was deleted
Below is an example of a malicious task on windows Task Scheduler with less than 1 min of a lifetime:
Command-line Utilities such as at and such-tasks are used by attackers to create malicious tasks on the system. Detecting Malicious tasks can help you stop the attack in execution, persistence, and Privilege Escalation stages. Therefore, you would be able to use the Windows Task Scheduler safely.