Malicious Scheduled Tasks
Blue: Attackers can use scheduled tasks to leave behind a backdoor that can trigger at a later time for persistence purposes. In order to identify malicious scheduled tasks, logging data is required that contains information on the scheduled task so it can be analysed for potentially malicious content.
Obtaining the relevant data
While it may seem simple to obtain information on scheduled tasks, the actual information logged by Microsoft Defender for Endpoint is actually quite limited.
The following events are collected in the DeviceEvents table:
- ScheduledTaskDeleted
- ScheduledTaskUpdated
- ScheduledTaskCreated
The information in these events is limited to the name of the scheduled task, located in the AdditionalFields.TaskName field, but no additional information is available. Most importantly the name of the binary being scheduled is not present in these events.
In order to obtain information on the binaries related to scheduled tasks a different approach is required. Some research showed that scheduled tasks that are executed have svchost as the parent process and the command line parameters of the svchost process are always “-k netsvcs -p -s Schedule”.
Using this mechanism we can find scheduled tasks when they execute by using the DeviceProcessEvents table and searching for processes initiated by svchost with the command line parameters mentioned.
This provides fully populated log events containing the binary name and all the relevant fields such as the SHA1 of the binary. Once we have this information we can create a query that identifies scheduled tasks which execute binaries that might be malicious. The query identifies these potentially malicious binaries by looking for unsigned binaries that have a low global prevalence in Microsoft Defender, meaning they are not often observed in environments running Microsoft Defender globally.
You can find this query here. Also, check out all our other queries in the repo.
The query might return some false positives such as developer systems running self-compiled binaries from a scheduled job. As always, the query requires customisation: some fine-tuning is required to make sure the whitelist is accurate and doesn’t allow for easy bypasses.
Red: When using scheduled tasks for persistence make sure not to directly schedule an untrusted binary as this eases detection by Blue teams.
Improvements
Below are some pointers on how to further improve this rule:
- Another source of information for scheduled tasks is available from Windows Event 4698 in the Windows Event Log that can be forwarded to Azure Sentinel for analysis. We will come back to this in a later post.
- An attacker could schedule a signed and trusted executable such as cmd.exe or a LOLBIN to invoke the malicious code.
Knowledge center
Other articles
Automating enumeration of missing reply URLs in Azure multitenant apps
[dsm_breadcrumbs show_home_icon="off" separator_icon="K||divi||400" admin_label="Supreme Breadcrumbs" _builder_version="4.18.0" _module_preset="default" items_font="||||||||" items_text_color="rgba(255,255,255,0.6)" custom_css_main_element="color:...
FalconFriday — Detecting MMC abuse using GrimResource with MDE— 0xFF24
[dsm_breadcrumbs show_home_icon="off" separator_icon="K||divi||400" admin_label="Supreme Breadcrumbs" _builder_version="4.18.0" _module_preset="default" items_font="||||||||" items_text_color="rgba(255,255,255,0.6)" custom_css_main_element="color:...
Arbitrary 1-click Azure tenant takeover via MS application
[dsm_breadcrumbs show_home_icon="off" separator_icon="K||divi||400" admin_label="Supreme Breadcrumbs" _builder_version="4.18.0" _module_preset="default" items_font="||||||||" items_text_color="rgba(255,255,255,0.6)" custom_css_main_element="color:...
Together. Secure. Today.
Stay in the loop and sign up to our newsletter
FalconForce realizes ambitions by working closely with its customers in a methodical manner, improving their security in the digital domain.
Energieweg 3
3542 DZ Utrecht
The Netherlands
FalconForce B.V.
[email protected]
(+31) 85 044 93 34
KVK 76682307
BTW NL860745314B01