Threat Hunting Using Windows Scheduled Task

Scheduled tasks are not only a useful tool for regular users, but also a potential weapon for attackers. These tasks are available on all Windows operating systems and are relatively easy to use, making them...

Scheduled tasks are not only a useful tool for regular users, but also a potential weapon for attackers. These tasks are available on all Windows operating systems and are relatively easy to use, making them an attractive option for malicious actors. Even knowledgeable users may have difficulty distinguishing between legitimate tasks and ones that have been compromised. This article will explore the common strategies for defending against exploitation through scheduled activities.

Event IDs Covering Scheduled Tasks

To detect suspicious activity related to scheduled tasks, it is important to monitor specific Event IDs. These include:

  • Event ID 4698: Generated when a new scheduled task is created
  • Event ID 4699: Generated when a scheduled task is deleted
  • Event ID 4700: Generated when a scheduled task is enabled
  • Event ID 4701: Generated when a scheduled task is disabled
  • Event ID 4702: Generated when a scheduled task is updated
  • Event ID 4688: Generated when a new process is created
  • Event ID 5145: Generated when a network share object is accessed

Hunting for Suspicious Scheduled Tasks

There are several techniques for identifying and dealing with suspicious scheduled tasks:

The Task with Short Life Time

By monitoring Audit Object Access Events, you can look for Event ID 4698 followed by Event ID 4699 with the same LogonID and TaskName within a one-minute timeframe. This can indicate a scheduled task with a short lifespan, which may be a sign of malicious activity.

STask Action Set to Legitimate MS Scripting/LoLBas Utility

Creating a rule with Event IDs 4688, 4698, or 4702, or Sysmon Event ID 1 can help identify legitimate script executions initiated by commonly used executables like script.exe, wscript.exe, rundll32.exe, wmic.exe, cmd.exe, mshta.exe, and powershell.exe. Monitoring for these events can help prevent unwanted entries from adversaries.

Remote Task Creation

Monitoring Event ID 5145 with Share Name = "*IPC$" and RelativeTargetName = atsvc can alert you to a very rare event where a network share object is checked for access. Additionally, monitoring Event ID 4624 with LogonType=3 followed by Event ID 4698 and the same LogonID within a one-minute timeframe can indicate remote task creation.

Task Set to Run Once

Hunting for Event ID 4698 with an event payload that matches the regular expression "(?i)(.TimeTrigger.+EndBoundary.)" can help identify tasks that are set to run only once, which is a rare event in itself.

Suspicious Task Update

Monitoring Event ID 4702 for "Task Updated" events where the "Subject Account Name" is not equal to "System" can help identify suspicious task updates.

Suspicious Schtasks Cmdline

Monitoring Event ID 4688 or Sysmon Event ID 1 for command line executions containing suspicious paths like "/create," "/change," or "/run" can help detect potentially malicious activity. Additionally, monitoring for command lines containing "ONEVENT" or "/s" can provide additional insights.

Suspicious STask Action = Path

Monitoring Event ID 4688 (with cmdline logging enabled), 4698, or 4702 for actions that involve paths starting with "c:users*", "c:programdata*", and "c:windowstemp*" can help identify potentially malicious scheduled tasks.

Conclusion

To maintain system security, it is crucial to properly configure and monitor scheduled tasks. Adversaries often use task scheduling as a means to achieve persistence and automate malicious activities. By being aware of the common strategies employed by attackers, users can better defend against exploitation through scheduled activities. Stay vigilant and ensure that your scheduled tasks are configured correctly to protect your system. Threat Hunting Using Windows Scheduled task Source: Image from original article

1