Cybercriminals utilize prearranged Windows tasks for covert and continuous presence on targeted systems

In the ever-evolving landscape of cyber threats, a familiar technique continues to pose a significant risk: the use of scheduled tasks. These tasks, which automate the execution of programs, scripts, or commands, are often found on modern Windows systems.

Attackers don't always create new tasks; they can also modify existing ones to better blend in. These tasks can be hidden in various locations, such as C:\windows\tasks, C:\windows\system32\tasks, C:\windows\system32\config\SOFTWARE, and %localappdata%\Microsoft\Windows\PowerShell\ScheduledJobs.

One method for creating a task using PowerShell involves the "Get-WmiObject" cmdlet and WMI (Windows Management Instrumentation). Another approach is through command line invocation, using the "schtasks.exe" utility. For instance, a task might be created that runs every 5 minutes, has the name "TelemetryUpdater", is located at C:\Windows\System32\Tasks\Microsoft\Windows\Update, and uses the command line containing parameters like , , , , , , and .

The execution of these tasks can serve not only for a persistent presence but also for further attacks, such as launching ransomware campaigns simultaneously on hundreds of systems. In recent months, ransomware groups have used Scheduled Tasks on Windows systems to deploy ransomware-based attacks by remotely triggering malware on hundreds of systems simultaneously.

Command line monitoring and process tracking are important for identifying scheduled tasks. The "TaskScheduler" event log contains information about when the task was created, who created it, what action was performed, what triggered it, and all task data. Event logs, such as the TaskScheduler/Operational Event Log, contain entries related to scheduled tasks. Event ID 106 shows task registration, 140 shows updates, and 141 shows deletions.

However, logs can be manipulated, so it's crucial to forward logs and rely on EDR/Sysmon telemetry data for resilience. Organizations should define a baseline for normal scheduled tasks to quickly identify deviations. For example, non-standard directories, such as C:\ProgramData\ or C:\Users\Public\, are suspicious for binary files.

Persistence is a common goal in incidents, with scheduled tasks being an established method alongside registry values, autostart entries, and services. Short, repetitive intervals, such as every five minutes, and the origin of creation - via schtasks, PowerShell, WMI, or directly in the task scheduler - provide important clues.

The file format for scheduled tasks is in a common XML format that describes the trigger, action, principal (user or permissions), and some other information. The "Repetition" element in a scheduled task file specifies the interval between each restart of the task. The format is described as PDTMS, where P stands for "period" (e.g., years, months, days), D stands for days, T is a time separator, followed by hours, minutes, and seconds represented by H, M, and S.

In conclusion, understanding the use of scheduled tasks in cyber attacks is crucial for maintaining the security of modern Windows systems. By monitoring for unusual activities, defining a baseline for normal scheduled tasks, and leveraging tools like EDR and Sysmon, organizations can stay vigilant against these persistent threats.

Cybercriminals utilize prearranged Windows tasks for covert and continuous presence on targeted systems