Blue teaming
FalconFriday — Malicious Scheduled Tasks — 0xFF0B
Welcome to the first FalconFriday post of 2021, in this post we provide background information on detecting malicious scheduled tasks using Microsoft Defender for Endpoint, and provide a query that can be used to automatically detect certain malicious scheduled tasks.

Malicious Scheduled Tasks

Blue: Attackers can use scheduled tasks to leave behind a backdoor that can trigger at a later time for persistence purposes. In order to identify malicious scheduled tasks, logging data is required that contains information on the scheduled task so it can be analysed for potentially malicious content.

Obtaining the relevant data

While it may seem simple to obtain information on scheduled tasks, the actual information logged by Microsoft Defender for Endpoint is actually quite limited.

The following events are collected in the DeviceEvents table:

  • ScheduledTaskDeleted
  • ScheduledTaskUpdated
  • ScheduledTaskCreated

The information in these events is limited to the name of the scheduled task, located in the AdditionalFields.TaskName field, but no additional information is available. Most importantly the name of the binary being scheduled is not present in these events.

In order to obtain information on the binaries related to scheduled tasks a different approach is required. Some research showed that scheduled tasks that are executed have svchost as the parent process and the command line parameters of the svchost process are always “-k netsvcs -p -s Schedule”.

Using this mechanism we can find scheduled tasks when they execute by using the DeviceProcessEvents table and searching for processes initiated by svchost with the command line parameters mentioned.

This provides fully populated log events containing the binary name and all the relevant fields such as the SHA1 of the binary. Once we have this information we can create a query that identifies scheduled tasks which execute binaries that might be malicious. The query identifies these potentially malicious binaries by looking for unsigned binaries that have a low global prevalence in Microsoft Defender, meaning they are not often observed in environments running Microsoft Defender globally.

You can find this query here. Also, check out all our other queries in the repo.

The query might return some false positives such as developer systems running self-compiled binaries from a scheduled job. As always, the query requires customisation: some fine-tuning is required to make sure the whitelist is accurate and doesn’t allow for easy bypasses.

Red: When using scheduled tasks for persistence make sure not to directly schedule an untrusted binary as this eases detection by Blue teams.

Improvements

Below are some pointers on how to further improve this rule:

  • Another source of information for scheduled tasks is available from Windows Event 4698 in the Windows Event Log that can be forwarded to Azure Sentinel for analysis. We will come back to this in a later post.
  • An attacker could schedule a signed and trusted executable such as cmd.exe or a LOLBIN to invoke the malicious code.

Knowledge center

Other articles

FalconHound, attack path management for blue teams

FalconHound, attack path management for blue teams

[dsm_breadcrumbs show_home_icon="off" separator_icon="K||divi||400" admin_label="Supreme Breadcrumbs" _builder_version="4.18.0" _module_preset="default" items_font="||||||||" items_text_color="rgba(255,255,255,0.6)" custom_css_main_element="color:...

Together. Secure. Today.

Stay in the loop and sign up to our newsletter

FalconForce realizes ambitions by working closely with its customers in a methodical manner, improving their security in the digital domain.

Energieweg 3
3542 DZ Utrecht
The Netherlands

FalconForce B.V.
[email protected]
(+31) 85 044 93 34

LinkedIn
X

KVK 76682307
BTW NL860745314B01

Privacy Policy

Terms & Conditions